New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[4.0] DB Credentials are exposed in the application API #29196
Comments
Thanks will take a look into that issue over the weekend. |
Why not? |
Quote from @mbabker
|
my usual dirt hack 😄 |
I'm assigning the |
I'm fairly certain the Joomla development strategy does not reflect a policy regarding features of this type of API, but things that should be considered a B/C break include:
Therefore, any plans for removal of data and/or endpoints must be finalized prior to release as those types of changes should be considered breaking changes by any sane definition. Additionally, even if after release it were decided to publish a |
When i get you right it is correct to mark this as release blocker so the decision is taken before stable is out right? |
I deliberately made these accessible - it's ultimately super admin only anyhow (if it's not it should be). But I want to have every endpoint in Joomla having a corresponding API action. |
Ok so this can be closed as expected behavior now, right? |
For content that makes sense. How many API providers routinely ship endpoints where application level configuration can be manipulated (even with ACL rules)? I think API endpoints allowing manipulation of com_config, and to a lesser extent com_installer and com_plugins (because those ultimately make changes at the application level) are a major red flag and need to be seriously scrutinized to decide if they actually provide a more tangible benefit than "if you can do it in the UI then there is an API endpoint for it". |
Sure in drupal this is called the configuration API https://www.drupal.org/docs/8/api/configuration-api I think com_installer installing extensions by file upload is more arguable than com_config tbh. I honestly don't see why APIs for taking your site offline etc wouldn't be something you would want (also turning on debug mode etc). I'm also assuming we're talking about the application view in com_config - for component configuration I could give a much longer list of examples. |
That’s an internal application API (what Joomla would put in libraries), nothing there indicates that is exposed to a RESTful interface. |
I think https://www.drupal.org/node/2724823 is the get requests. I'm unclear as to whether they support updates. But that's largely based on the fact the many of the config entities don't support validation (obviously Joomla does) REF: https://www.drupal.org/project/drupal/issues/2300677 |
Closing as it's intended |
Steps to reproduce the issue
Use the following in your terminal:
Or via JS:
Expected result
DB credentials should not be returned in the API response
Actual result
Database credentials are exposed
Additional comments
It has been raised that that application API should be removed as site level configs should not be exposed at all.
@wilsonge @zero-24 @SniperSister
The text was updated successfully, but these errors were encountered: