feat(security): Protect cache and log folders with .htaccess

Author: julienloizelet

.cache/.htaccess

@@ -0,0 +1,8 @@
+<IfVersion < 2.4>
+    order allow,deny
+    deny from all
+</IfVersion>
+<IfVersion >= 2.4>
+    Require all denied
+</IfVersion>
+

.distignore

@@ -1,4 +1,3 @@
-/.cache
 /.git
 /.github
 /.githooks
@@ -25,10 +24,7 @@
 .composer.lock
 *.sh
 *.log
-README.md
-CHANGELOG.md
 composer.json
 composer.lock
-/logs/**
 .distignore
 .gitignore

.github/workflows/end-to-end-auto-prepend-test-suite.yml

@@ -57,8 +57,8 @@ jobs:
         run: |
           echo "WP_VERSION_CODE=$(echo wp${{ matrix.wp-version }} | sed 's/\.//g' )" >> $GITHUB_ENV
 
-      - name: Create empty WordPress DDEV project
-        run: ddev config --project-type=wordpress --project-name=${{ env.WP_VERSION_CODE }}
+      - name: Create empty WordPress DDEV project (with Nginx)
+        run: ddev config --project-type=wordpress --project-name=${{ env.WP_VERSION_CODE }} --webserver-type=nginx-fpm
 
       - name: Handle PHP version
         run: |

.github/workflows/end-to-end-test-suite.yml

@@ -57,8 +57,8 @@ jobs:
         run: |
           echo "WP_VERSION_CODE=$(echo wp${{ matrix.wp-version }} | sed 's/\.//g' )" >> $GITHUB_ENV
 
-      - name: Create empty WordPress DDEV project
-        run: ddev config --project-type=wordpress --project-name=${{ env.WP_VERSION_CODE }} --php-version=${{ matrix.php-version }}
+      - name: Create empty WordPress DDEV project (with Apache)
+        run: ddev config --project-type=wordpress --project-name=${{ env.WP_VERSION_CODE }} --php-version=${{ matrix.php-version }} --webserver-type=apache-fpm
 
       - name: Add Redis, Memcached, Crowdsec and Playwright
         run: |

.gitignore

@@ -16,8 +16,11 @@ crowdsec-wp*
 
 # App
 .bouncer-key
-.cache/
 *.log
+/.cache/*
+!/.cache/.htaccess
+/logs/*
+!/logs/.htaccess
 .vagrant
 .env
 inc/standalone-settings.php

CHANGELOG.md

@@ -5,6 +5,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 
+## [2.3.0](https://github.com/crowdsecurity/cs-wordpress-bouncer/releases/tag/v2.3.0) - 2023-04-06
+[_Compare with previous release_](https://github.com/crowdsecurity/cs-wordpress-bouncer/compare/v2.2.0...v2.3.0)
+
+### Security
+
+- Add `.htaccess` to deny direct access of log and cache folders
+
+
+---
+
+
 ## [2.2.0](https://github.com/crowdsecurity/cs-wordpress-bouncer/releases/tag/v2.2.0) - 2023-03-30
 [_Compare with previous release_](https://github.com/crowdsecurity/cs-wordpress-bouncer/compare/v2.1.0...v2.2.0)
 

docs/DEVELOPER.md

@@ -90,7 +90,6 @@ ddev get ddev/ddev-redis
 ddev get ddev/ddev-memcached
 ddev get julienloizelet/ddev-tools
 ddev get julienloizelet/ddev-playwright
-ddev start
 ```
 
 - Launch DDEV
@@ -106,8 +105,7 @@ This should take some times on the first launch as this will download all necess
 ```
 ddev wp core download
 
-ddev exec wp core install --url='https://your-project-name.ddev.site' --title='WordPress' --admin_user='admin' 
---admin_password='admin123' --admin_email='admin@admin.com'
+ddev exec wp core install --url='https://your-project-name.ddev.site' --title='WordPress' --admin_user='admin' --admin_password='admin123' --admin_email='admin@admin.com'
 
 ```
 

docs/USER_GUIDE.md

@@ -490,6 +490,54 @@ Here are some examples of how to set options with the `WP-CLI` tool.
 
 
 
+### Security
+
+Logs and cache files generated by this plugin must be protected from direct access attempts.
+
+Logs files are created in the `wp-content/plugins/crowdses/logs` folder and cache files of the File system cache are 
+created in the `wp-content/plugins/crowdses/.cache` folder.
+
+**N.B.:**
+- There is no need to protect the `.cache` folder if you are using Redis or Memcached cache systems.
+- There is no need to protect the `logs` folder if you disable debug and prod logging.
+
+#### Nginx
+
+If you are using Nginx, you should add a directive in your website configuration file to deny access to these folders.
+
+This could be done with the following snippet:
+
+```
+server {
+   ...
+   ...
+   ...
+   # Deny all attempts to acces log and cache folder of the crowdsec plugin
+   location ~ /crowdsec/(.cache|logs) {
+           deny all;
+   }
+   ...
+   ...
+}
+```
+
+#### Apache
+
+If you are using Apache, these folders already contain the required `.htaccess` file: 
+
+```
+<IfVersion < 2.4>
+    order allow,deny
+    deny from all
+</IfVersion>
+<IfVersion >= 2.4>
+    Require all denied
+</IfVersion>
+```
+
+So you don't have to do anything more.
+
+
 ### Auto Prepend File mode
 
 By default, this extension will bounce every web requests that pass through the classical process of WordPress core loading.

inc/admin/advanced-settings.php

@@ -182,7 +182,8 @@ function adminAdvancedSettings()
         return $input;
     }, ((Constants::CACHE_SYSTEM_PHPFS === get_option('crowdsec_cache_system')) ?
         '<input style="margin-right:10px" type="button" id="crowdsec_prune_cache" value="Prune now" class="button button-secondary" onclick="document.getElementById(\'crowdsec_action_prune_cache\').submit();">' : '').
-        '<p>The File system cache is faster than calling Local API. Redis or Memcached is faster than the File System cache.</p>', [
+        '<p>The File system cache is faster than calling Local API. Redis or Memcached is faster than the File System cache.<br>
+If you are using File system cache, please refer to <a target="_blank" href="https://github.com/crowdsecurity/cs-wordpress-bouncer/blob/main/docs/USER_GUIDE.md#security">the documentation to deny direct access to the cache folder.</a></p>', [
         Constants::CACHE_SYSTEM_PHPFS => 'File system',
         Constants::CACHE_SYSTEM_REDIS => 'Redis',
         Constants::CACHE_SYSTEM_MEMCACHED => 'Memcached',
@@ -371,7 +372,7 @@ function convertInlineIpRangesToComparableIpBounds(string $inlineIpRanges): arra
      ******************************/
 
     add_settings_section('crowdsec_admin_advanced_debug', 'Debug mode', function () {
-        echo 'Configure the debug mode.';
+        echo 'Configure the debug mode.<br>Please refer to <a target="_blank" href="https://github.com/crowdsecurity/cs-wordpress-bouncer/blob/main/docs/USER_GUIDE.md#security">the documentation to deny direct access to the log folder.</a>';
     }, 'crowdsec_advanced_settings');
 
     // Field "crowdsec_debug_mode"