Merge pull request #139 from julienloizelet/feat/folder-security-bis

feat(security): Protect geolocation and tls folders with .htaccess

Author: julienloizelet

.cache/.gitignore

@@ -0,0 +1,3 @@
+*
+!.gitignore
+!.htaccess

.distignore

@@ -6,24 +6,17 @@
 /tests
 /vendor/crowdsec/bouncer/vendor
 /vendor/crowdsec/bouncer/tools
-/vendor/crowdsec/bouncer/var
 /vendor/crowdsec/bouncer/tests
 /vendor/crowdsec/bouncer/scripts
-/vendor/crowdsec/bouncer/examples
 /vendor/crowdsec/bouncer/docs
-/vendor/crowdsec/bouncer/docker
 /vendor/crowdsec/bouncer/README.md
 /vendor/crowdsec/bouncer/composer.json
 /vendor/crowdsec/bouncer/composer.lock
-/vendor/crowdsec/bouncer/phpunit.xml
-/vendor/crowdsec/bouncer/.phpdoc-md
-/vendor/crowdsec/bouncer/phpstan.neon
 /vendor/crowdsec/bouncer/.github
-/vendor/crowdsec/.bouncer-key
-.composer.json
-.composer.lock
 *.sh
 *.log
+*.mmdb
+*.pem
 composer.json
 composer.lock
 .distignore

.github/workflows/end-to-end-auto-prepend-test-suite.yml

@@ -58,11 +58,7 @@ jobs:
           echo "WP_VERSION_CODE=$(echo wp${{ matrix.wp-version }} | sed 's/\.//g' )" >> $GITHUB_ENV
 
       - name: Create empty WordPress DDEV project (with Nginx)
-        run: ddev config --project-type=wordpress --project-name=${{ env.WP_VERSION_CODE }} --webserver-type=nginx-fpm
-
-      - name: Handle PHP version
-        run: |
-          sed -i -e 's/^php_version:.*/php_version: "${{ matrix.php-version }}"/g' .ddev/config.yaml  
+        run: ddev config --project-type=wordpress --project-name=${{ env.WP_VERSION_CODE }} --php-version=${{ matrix.php-version }} --webserver-type=nginx-fpm
 
       - name: Add Redis, Memcached, Crowdsec and Playwright
         run: |

.github/workflows/release-test.yml

@@ -62,12 +62,9 @@ jobs:
         run: |
           echo "WP_VERSION_CODE=$(echo wp${{ matrix.wp-version }} | sed 's/\.//g' )" >> $GITHUB_ENV
 
-      - name: Create empty WordPress DDEV project
-        run: ddev config --project-type=wordpress --project-name=${{ env.WP_VERSION_CODE }}
+      - name: Create empty WordPress DDEV project (with Apache)
+        run: ddev config --project-type=wordpress --project-name=${{ env.WP_VERSION_CODE }} --php-version=${{ matrix.php-version }} --webserver-type=apache-fpm
 
-      - name: Handle PHP version
-        run: |
-          sed -i -e 's/^php_version:.*/php_version: "${{ matrix.php-version }}"/g' .ddev/config.yaml  
 
       - name: Add Redis, Memcached, Crowdsec and Playwright
         run: |

.gitignore

@@ -4,23 +4,10 @@ vendor/crowdsec/bouncer/*
 !vendor/crowdsec/bouncer/LICENSE
 
 
-# Systems
-.DS_Store
-
 #Tools
 node_modules/
 .test-results*
-tests/e2e/screenshots
-.cookies.json
-crowdsec-wp*
 
 # App
-.bouncer-key
 *.log
-/.cache/*
-!/.cache/.htaccess
-/logs/*
-!/logs/.htaccess
-.vagrant
-.env
 inc/standalone-settings.php

CHANGELOG.md

@@ -10,7 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Security
 
-- Add `.htaccess` to deny direct access of log and cache folders
+- Add `.htaccess` to deny direct access of plugin folders
 
 
 ---

docs/USER_GUIDE.md

@@ -495,14 +495,18 @@ Here are some examples of how to set options with the `WP-CLI` tool.
 
 ### Security
 
-Logs and cache files generated by this plugin must be protected from direct access attempts.
+Some files used or created by this plugin must be protected from direct access attempts:
 
-Logs files are created in the `wp-content/plugins/crowdses/logs` folder and cache files of the File system cache are 
-created in the `wp-content/plugins/crowdses/.cache` folder.
+- Log files are created in the `wp-content/plugins/crowdsec/logs` folder
+- Cache files of the File system cache are created in the `wp-content/plugins/crowdsec/.cache` folder
+- TLS authentication files are located in the `wp-content/plugins/crowdsec/tls` folder
+- Geolocation database files are located in the `wp-content/plugins/crowdsec/geolocation` folder
 
 **N.B.:**
 - There is no need to protect the `.cache` folder if you are using Redis or Memcached cache systems.
 - There is no need to protect the `logs` folder if you disable debug and prod logging.
+- There is no need to protect the `tls` folder if you use Bouncer API key authentication type.
+- There is no need to protect the `geolocation` folder if you don't use the geolocation feature.
 
 #### Nginx
 
@@ -515,8 +519,8 @@ server {
    ...
    ...
    ...
-   # Deny all attempts to acces log and cache folder of the crowdsec plugin
-   location ~ /crowdsec/(.cache|logs) {
+   # Deny all attempts to access some folders of the crowdsec plugin
+   location ~ /crowdsec/(.cache|logs|tls|geolocation) {
            deny all;
    }
    ...

geolocation/.gitignore

@@ -1 +1,3 @@
-*.mmdb
+*
+!.gitignore
+!.htaccess

geolocation/.htaccess

@@ -0,0 +1,8 @@
+<IfVersion < 2.4>
+    order allow,deny
+    deny from all
+</IfVersion>
+<IfVersion >= 2.4>
+    Require all denied
+</IfVersion>
+

inc/admin/advanced-settings.php

@@ -183,7 +183,8 @@ function adminAdvancedSettings()
     }, ((Constants::CACHE_SYSTEM_PHPFS === get_option('crowdsec_cache_system')) ?
         '<input style="margin-right:10px" type="button" id="crowdsec_prune_cache" value="Prune now" class="button button-secondary" onclick="document.getElementById(\'crowdsec_action_prune_cache\').submit();">' : '').
         '<p>The File system cache is faster than calling Local API. Redis or Memcached is faster than the File System cache.<br>
-If you are using File system cache, please refer to <a target="_blank" href="https://github.com/crowdsecurity/cs-wordpress-bouncer/blob/main/docs/USER_GUIDE.md#security">the documentation to deny direct access to the cache folder.</a></p>', [
+<b>Important note: </b> If you use the File system cache, make sure the <i>wp-content/plugins/crowdsec/.cache</i> path is not publicly accessible.<br>
+Please refer to <a target="_blank" href="https://github.com/crowdsecurity/cs-wordpress-bouncer/blob/main/docs/USER_GUIDE.md#security">the documentation to deny direct access to this folder.</a></p>', [
         Constants::CACHE_SYSTEM_PHPFS => 'File system',
         Constants::CACHE_SYSTEM_REDIS => 'Redis',
         Constants::CACHE_SYSTEM_MEMCACHED => 'Memcached',
@@ -318,7 +319,9 @@ function convertInlineIpRangesToComparableIpBounds(string $inlineIpRanges): arra
      **************************/
 
     add_settings_section('crowdsec_admin_advanced_geolocation', 'Geolocation', function () {
-        echo 'Configure some details about geolocation.';
+        echo 'Configure some details about geolocation.<br>
+<b>Important note: </b> If you use this feature, make sure the <i>wp-content/plugins/crowdsec/geolocation</i> path is not publicly accessible.<br>
+Please refer to <a target="_blank" href="https://github.com/crowdsecurity/cs-wordpress-bouncer/blob/main/docs/USER_GUIDE.md#security">the documentation to deny direct access to this folder.</a>';
     }, 'crowdsec_advanced_settings');
 
     // Field "Geolocation enabled"
@@ -372,7 +375,9 @@ function convertInlineIpRangesToComparableIpBounds(string $inlineIpRanges): arra
      ******************************/
 
     add_settings_section('crowdsec_admin_advanced_debug', 'Debug mode', function () {
-        echo 'Configure the debug mode.<br>Please refer to <a target="_blank" href="https://github.com/crowdsecurity/cs-wordpress-bouncer/blob/main/docs/USER_GUIDE.md#security">the documentation to deny direct access to the log folder.</a>';
+        echo 'Configure the debug mode.<br>
+<b>Important note: </b> Make sure the <i>wp-content/plugins/crowdsec/logs</i> path is not publicly accessible.<br>
+Please refer to <a target="_blank" href="https://github.com/crowdsecurity/cs-wordpress-bouncer/blob/main/docs/USER_GUIDE.md#security">the documentation to deny direct access to this folder.</a>';
     }, 'crowdsec_advanced_settings');
 
     // Field "crowdsec_debug_mode"