Security: Default WAC mode changed from permissive to restrictive #32
Description
Summary
When no ACL file exists for a resource, JSS was previously defaulting to allowing all access (permissive mode). This allowed unauthenticated users to POST arbitrary content to unprotected containers.
Attack Vector
- Attacker sends POST request to any container without an ACL
- JSS accepts the request and creates a file with attacker-controlled content
- This was observed in the wild with Next.js RCE exploit payloads (CVE-2024-34351 style attacks)
Fix
Changed default behavior in src/wac/checker.js:
- Before: No ACL = allow all access
- After: No ACL = deny all access
Fixed in
Commit f43ecdf
Action Required for Deployers
Ensure a root .acl file exists in your data directory. Example (JSON-LD format):
{
"@context": {
"acl": "http://www.w3.org/ns/auth/acl#",
"foaf": "http://xmlns.com/foaf/0.1/"
},
"@graph": [
{
"@id": "#owner",
"@type": "acl:Authorization",
"acl:agent": { "@id": "https://your-domain.com/profile/card#me" },
"acl:accessTo": { "@id": "https://your-domain.com/" },
"acl:default": { "@id": "https://your-domain.com/" },
"acl:mode": [
{ "@id": "acl:Read" },
{ "@id": "acl:Write" },
{ "@id": "acl:Control" }
]
},
{
"@id": "#public",
"@type": "acl:Authorization",
"acl:agentClass": { "@id": "foaf:Agent" },
"acl:accessTo": { "@id": "https://your-domain.com/" },
"acl:default": { "@id": "https://your-domain.com/" },
"acl:mode": [
{ "@id": "acl:Read" }
]
}
]
}Labels
security, breaking-change