feat: Prevent access to internal storage containers

CommunitySolidServer · Jul 27, 2021 · 7b94b71 · 7b94b71
1 parent f4833d2
commit 7b94b71
Show file tree

Hide file tree

Showing 9 changed files with 27 additions and 7 deletions.
diff --git a/config/default.json b/config/default.json
@@ -19,7 +19,7 @@
     "files-scs:config/ldp/metadata-writer/default.json",
     "files-scs:config/ldp/permissions/acl.json",
     "files-scs:config/storage/backend/memory.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
     "files-scs:config/storage/middleware/default.json",
     "files-scs:config/util/auxiliary/acl.json",
     "files-scs:config/util/identifiers/suffix.json",

diff --git a/config/dynamic.json b/config/dynamic.json
@@ -19,7 +19,7 @@
     "files-scs:config/ldp/metadata-writer/default.json",
     "files-scs:config/ldp/permissions/acl.json",
     "files-scs:config/storage/backend/dynamic.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
     "files-scs:config/storage/middleware/default.json",
     "files-scs:config/util/auxiliary/acl.json",
     "files-scs:config/util/identifiers/suffix.json",

diff --git a/config/example-https-file.json b/config/example-https-file.json
@@ -19,7 +19,7 @@
     "files-scs:config/ldp/metadata-writer/default.json",
     "files-scs:config/ldp/permissions/acl.json",
     "files-scs:config/storage/backend/file.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
     "files-scs:config/storage/middleware/default.json",
     "files-scs:config/util/auxiliary/acl.json",
     "files-scs:config/util/identifiers/suffix.json",

diff --git a/config/file.json b/config/file.json
@@ -19,7 +19,7 @@
     "files-scs:config/ldp/metadata-writer/default.json",
     "files-scs:config/ldp/permissions/acl.json",
     "files-scs:config/storage/backend/file.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
     "files-scs:config/storage/middleware/default.json",
     "files-scs:config/util/auxiliary/acl.json",
     "files-scs:config/util/identifiers/suffix.json",

diff --git a/config/ldp/authorization/webacl.json b/config/ldp/authorization/webacl.json
@@ -9,6 +9,12 @@
       "@id": "urn:solid-server:default:Authorizer",
       "@type": "WaterfallHandler",
       "handlers": [
+        {
+          "comment": "This authorizer will be used to prevent external access to containers used for internal storage.",
+          "@id": "urn:solid-server:default:PathBasedAuthorizer",
+          "@type": "PathBasedAuthorizer",
+          "baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" }
+        },
         {
           "comment": "This authorizer makes sure that for auxiliary resources, the main authorizer gets called with the associated identifier.",
           "@type": "AuxiliaryAuthorizer",

diff --git a/config/memory-subdomains.json b/config/memory-subdomains.json
@@ -19,7 +19,7 @@
     "files-scs:config/ldp/metadata-writer/default.json",
     "files-scs:config/ldp/permissions/acl.json",
     "files-scs:config/storage/backend/memory.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
     "files-scs:config/storage/middleware/default.json",
     "files-scs:config/util/auxiliary/acl.json",
     "files-scs:config/util/identifiers/subdomain.json",

diff --git a/config/path-routing.json b/config/path-routing.json
@@ -19,7 +19,7 @@
     "files-scs:config/ldp/metadata-writer/default.json",
     "files-scs:config/ldp/permissions/acl.json",
     "files-scs:config/storage/backend/regex.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
     "files-scs:config/storage/middleware/default.json",
     "files-scs:config/util/auxiliary/acl.json",
     "files-scs:config/util/identifiers/suffix.json",

diff --git a/config/sparql-endpoint.json b/config/sparql-endpoint.json
@@ -19,7 +19,7 @@
     "files-scs:config/ldp/metadata-writer/default.json",
     "files-scs:config/ldp/permissions/acl.json",
     "files-scs:config/storage/backend/sparql.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
     "files-scs:config/storage/middleware/default.json",
     "files-scs:config/util/auxiliary/acl.json",
     "files-scs:config/util/identifiers/suffix.json",

diff --git a/config/storage/key-value/resource-store.json b/config/storage/key-value/resource-store.json
@@ -22,6 +22,20 @@
       "source": { "@id": "urn:solid-server:default:ResourceStore" },
       "baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" },
       "container": "/idp/data/"
+    },
+    {
+      "comment": "Block external access to the storage containers to avoid exposing internal data.",
+      "@id": "urn:solid-server:default:PathBasedAuthorizer",
+      "PathBasedAuthorizer:_paths": [
+        {
+          "PathBasedAuthorizer:_paths_key": "^/locks(/.*)?$",
+          "PathBasedAuthorizer:_paths_value": { "@type": "DenyAllAuthorizer" }
+        },
+        {
+          "PathBasedAuthorizer:_paths_key": "^/idp/data(/.*)?$",
+          "PathBasedAuthorizer:_paths_value": { "@type": "DenyAllAuthorizer" }
+        }
+      ]
     }
   ]
 }