[BUG] Unauthorized user can access /conf.yml

Question

[BUG] Unauthorized user can access /conf.yml

Towerism opened this issue 4 months ago · comments

Martin Fracker, Jr. commented 4 months ago

Environment

Self-Hosted (Docker)

System

Chrome 124.0.6367.201, Debian GNU/Linux 12 (bookworm), Docker 20.10.24+dfsg1 build 297e128

Version

3.1.0

Describe the problem

First of all, thanks for creating this product. It's a beautiful, easy to configure, easy to use dashboard that has made it a pleasure to organize my home network.

Now onto to the bug.

With the following settings:

appConfig.disableConfigurationForNonAdmin: true
appConfig.auth.enableGuestAccess: false

an unauthorized user can access /conf.yml and view the entire config. This seems like a security flaw. Unauthorized users should be denied access to /conf.yml.

Additional info

No response

Please tick the boxes

You have explained the issue clearly, and included all relevant info
You are using a supported version of Dashy
You've checked that this issue hasn't already been raised
You've checked the docs and troubleshooting guide
You agree to the code of conduct

Tobias · Answer 1 · Thu May 16 2024 12:02:34 GMT+0800 (China Standard Time)

Closed as duplicate of #668

Please look into the docs before creating a new issue; https://dashy.to/docs/authentication

It's explained here.
Also you can find a resolution, for example by adding http basic auth.

Also look at this:
#1579 (comment)