This document outlines the considerations we've made regarding the security of SatisPress and the resources it creates to provide you with the information you need to help make informed decisions about the security of your site.
If you think you've discovered a vulnerability, please get in touch privately.
Resources created by SatisPress are private by default and require authentication to access them.
Only users registered in WordPress with the appropriate capabilities can access protected resources, which include package artifacts (plugin and theme zip files) and the packages.json endpoint.
SatisPress ships with support for accessing protected resources by using API Keys via Basic HTTP Authentication.
An API Key is a series of 32 randomly generated letters and numbers that look something like this:
aUEZYqq6pXlMjdg8swe0rQgMCZAPJNaR
API Keys are associated with the user they're created for and inherit the users' capabilities — a key doesn't provide access to protected resources if the user can't access those resources. API Keys are read-only and limited to accessing SatisPress resources, so if one were to become compromised, an attacker could only view and download whitelisted packages.
To use an API Key with Basic authentication, the API Key should be provided as the username with a password of satispress:
Example Request
$ curl https://example.com/satispress/packages.json \
-u aUEZYqq6pXlMjdg8swe0rQgMCZAPJNaR:satispressAPI Keys can be revoked in case they are compromised or if you need to remove access for a specific client.
HTTPS / TLS should always be enabled when using Basic authentication. Basic authentication is not secure over plain HTTP since it requires sending credentials in clear text with every request.
Composer requires HTTPS by default, so this generally shouldn't be a problem, but it's worth noting the security implications if you decide to use Basic authentication over plain HTTP.
Also keep in mind that even with HTTPS enabled, the credentials will most likely be stored in clear text at some point, whether it's an auth.json file or directly in URLs in composer.json.
WordPress usernames and passwords will not work with the default authentication provider included in SatisPress versions after 0.2.3.
Third-party authentication providers that hook into the determine_current_user filter and take care to account for multiple authentication schemes should also work with SatisPress.
We've taken several measures to attempt to ensure package artifacts are protected. Most of these approaches are used by several top backup and eCommerce plugins on the market:
- Package artifacts are cached in a randomly named directory to prevent easy discovery.
- An
.htaccessfile is added to the cache directory to deny access to direct requests on Apache servers. - Download requests can only be made by authenticated users.
If your site is running on NGINX, you may need to implement custom redirects to deny direct access to the cache directory.
SatisPress introduces three new primitive capabilities:
satispress_download_packagessatispress_view_packagessatispress_manage_options
And two new meta capabilities:
satispress_download_packagesatispress_view_package
The primitive capabilities are added to the administrator role by default during plugin installation and upgrade.
The meta capabilities are the ones that are checked at runtime. There's a mapping between the primitive and meta capabilities in the Capabilities provider.
If you're using another authentication provider or really don't need authentication, you can disable the built-in server with a single-line filter:
<?php
/**
* Deregister SatisPress authentication servers.
*/
add_filter( 'satispress_authentication_servers', '__return_empty_array' );Keep in mind that disabling authentication may make it easier for malicious actors to determine which plugins are being used on your site.
Securing the SatisPress repository should be possible using the same methods outlined in the Satis documentation.