Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How can we prevent attackers to submitting live components URLs directly? #1674

Closed
rajansharmax opened this issue Apr 2, 2024 · 4 comments
Closed

How can we prevent attackers to submitting live components URLs directly? #1674

rajansharmax opened this issue Apr 2, 2024 · 4 comments

Comments

@rajansharmax
Copy link

http://websitename/_components/SearchForm?props=

so attcker using live component url to pass malicious code how can we stop this
@rajansharmax
Copy link
Author

is there a way to stop this or any rate limiter?

@rajansharmax rajansharmax changed the title How can we stop attackers from submitting URLs for live components? How can we prevent attackers from submitting URLs to live components? Apr 2, 2024
@kbond
Copy link
Member

kbond commented Apr 2, 2024

@rajansharmax could you provide more details to security [at] symfony.com?

@rajansharmax
Copy link
Author

So the attacker added the live component URL to the bot, and maybe they are trying to inject a SQL query. so my questions is: how can we prevent these kind of form submissions. We are getting a lot of error log messages.

Is there any rate limiter for this, or do we need to add rate limiters on the server??

@smnandre
Copy link
Member

smnandre commented Apr 2, 2024

I'll try to answer, but keep in mind depending on your components, your needs, ..et some of those points may not be relatable to your project

  • you can add a RateLimiter in your components (they are service, so you can inject a RateLimiter inside one specific component, or -probably better- you can leverage one of the available events and create a shared Listener for this)
  • you may want to restrict this URL to specific users (authenticated, or by IP, header...) with firewall + access control rules
  • you can enable CSRF verification for your component actions
  • you could set a global request control in your app that triggers custom HTTP codes + a ban system (fail2ban-like)
  • you could also ban on your web server / host IP's that you often see trying some "malicious" things as you said

On your app side, there is no risk of SQL injection if you're using DTO's or scalars ..

For Doctrine entities if you use query builder or predefined repository functions neither (the string values will be escaped by Doctrine before beeing set.. and should probably not pass your entity validation constraints i guess).

In the end, a live component URL is like any controller URL in symfony, and you can leverage all the usual tools provided by Symfony / your server to control.

Concerning the error log messages: are they just "404" errors or is there something more suspicious here ?

@rajansharmax rajansharmax changed the title How can we prevent attackers from submitting URLs to live components? How can we prevent attackers to submitting live components URLs directly? Apr 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kbond @smnandre @rajansharmax