Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-7524

Remove file listing permission from /code-refs/ directories

XMLWordPrintable

    • Moderate
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Customer security team discovered that many folders in openshift-console are browsable. Can you please remove the listing permissions from these folders (or globally)?

Hera are some examples:
https://console-openshift-console.apps.<domain>/static/dev-console/
https://console-openshift-console.apps.<domain>/static/helm-plugin/
https://console-openshift-console.apps.<domain>/static/topology/

      Version-Release number of selected component (if applicable):

      Tested on OCP 4.12.0 but I guess it affects all versions of the OCP web console

      How reproducible:

      Open the URLs with curl or a web browser and check that directory/files are listed

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

      Directories and files are listed

      Expected results:

      Web server should return a forbidden error

      Additional info:

       

            jhadvig@redhat.com Jakub Hadvig
            rhn-support-fgleizes Florian Gleizes (Inactive)
            Sanket Pathak Sanket Pathak
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: