google.json is a security risk

Question

google.json is a security risk

Opened this issue 7 years ago · 8 comments

Putting the google.json file is a security risk, it can be read via /modules/contentbox/modules_user/superseo/models/google.json

I think a better approach will to to add it as setting in Conf or as a Setting in database.
I have checked the GoogleCredential Javadocs and couldn't find a method to set Json via string.

So you could to the following
`

var stringReader = createObject("java", "java.io.StringReader");
var googleSettings = stringReader.init(' .... JSON FOLLOWS HERE (PULL FROM SETTINGS
');
variables.ReaderInputStream = createObject("java", "org.apache.commons.io.input.ReaderInputStream");

	var fakeStream = variables.ReaderInputStream.init(googleSettings);
	
	return variables.credential
		.fromStream( fakeStream, //INSTEAD OF variables.fileObj.init(getFileName()),

`

Answer 1 · 2017-05-29T13:31:01.000Z

Do you suggest to copy/paste json in a settings?

That way user should edit config manually and do a reinit.

Answer 2 · 2017-05-29T13:32:47.000Z

Either put it in Coldbox.cfc as a setting or make it editable via backend. What suits you the most. If you like I can do a PR for this.

Answer 3 · 2017-05-29T13:46:26.000Z

Isn't /modules/contentbox/modules_user/superseo/models/google.json secured by default?

Answer 4 · 2017-05-29T13:48:02.000Z

I tried with my local dev and I could read the json file

Answer 5 · 2017-05-29T13:51:55.000Z

I would say it depends on the rewrite rules in .htaccess which you should not rely on
`#Images, css, javascript and docs, add your own extensions if needed.
RewriteCond %{REQUEST_URI} .(bmp|gif|jpe?g|png|css|js|txt|xls|ico|swf)$
RewriteRule ^(.*)$ - [NC,L]

#The ColdBox index.cfm/{path_info} rules.
RewriteRule ^$ index.cfm [QSA,NS]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.cfm/%{REQUEST_URI} [QSA,L,NS]
`

Answer 6 · 2017-05-30T04:56:39.000Z

What if instead of rename the key as google.json, we leave the name that google generates and simply add a setting to specify the correct filename?

It will make more simple for end users to upload and just fill an input box. As security, to access the file the one should know the exact name of the file.

Answer 7 · 2017-05-30T13:47:43.000Z

I somebody forgets to disable directory listing.... I still prefer to have it in db or settings, I can to a Pull Request if you like.

Answer 8 · 2017-05-31T00:37:53.000Z

Change the way we load json key means a rewrite of Google.cfc. Why not simply add an htaccess to the models path?