node-solid-server icon indicating copy to clipboard operation
node-solid-server copied to clipboard

Published 20 hours ago verified publisher icon nodeSolidServer

Information exposure about contained resources

Open csarven opened this issue 4 years ago • 0 comments

Given resources:

/foo/
/foo/bar
/foo/baz

where Agent has:

  • Read access to /foo/
  • Read access to /foo/bar
  • No read access to /foo/baz

NSS responds to authorized GET requests to /foo/ which includes statements about /foo/baz (besides containment statements) eg:

<baz>
    html:Resource, ldp:Resource;
    terms:modified "2021-02-05T10:49:07Z"^^XML:dateTime;
    st:mtime 1612522147.974;
    st:size 12.

It'd be preferable to not expose types (besides indicating it is a container or a non-container eg. html:Resource), modified, mtime, size information about /foo/baz since agent is not granted read access to/foo/baz.

See proposed security consideration: https://github.com/solid/specification/pull/228

You may want to consider performance / response times if you follow-up on this change.

csarven avatar Feb 05 '21 12:02 csarven