node-solid-server icon indicating copy to clipboard operation
node-solid-server copied to clipboard
verified publisher icon nodeSolidServer

Information exposure through Link header by guessing an allocated URI

Open csarven opened this issue 4 years ago • 1 comments

NSS responds to unauthenticated and unauthorized GET requests to /foo/bar (that exists) by including the HTTP header:

Link: <bar.acl>; rel="acl", <bar.meta> rel="describedBy", <http://www.w3.org/ns/ldp#Resource>; rel="type"

For GET requests to non-existing resources eg. /foo/baz, the response doesn't include the HTTP Link header.

Thus, the security consideration: existence of a resource can potentially be known by guessing or anticipating an allocated URI.

There are use cases where the server may want to reveal the information in the Link header in the response. If the server doesn't make the distinction between intentionally revealing and unintentionally exposing, the server is encouraged to minimize information leaking. So, in the case here, it should be consistent by omitting the Link header for unauthenticated and unauthorized requests.

csarven avatar Mar 26 '21 11:03 csarven

Same behaviour with OPTIONS.

csarven avatar Apr 23 '21 12:04 csarven