diff --git a/SECURITY.md b/SECURITY.md index a1e8cc60..38a9db52 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -129,6 +129,11 @@ SQLPage vulnerabilities: - An operator intentionally changes configuration to expose files, trust a different database, make an OIDC path public, weaken CSP, enable dangerous Markdown options, load SQLite extensions, or enable `allow_exec`. +- A symlink placed under `web_root` exposes its target. SQLPage follows + symlinks during static file serving, so operators must not create symlinks + under `web_root` that point to reserved or private files, such as the + `sqlpage/` configuration directory or dotfiles, or to files outside + `web_root`, since those targets would then be publicly reachable over HTTP. - An attacker can modify SQL files, templates, configuration, environment variables, migrations, database code, or `sqlpage_files`. - The configured database role has broader permissions than the application diff --git a/configuration.md b/configuration.md index 0966f51a..a774dcfd 100644 --- a/configuration.md +++ b/configuration.md @@ -20,7 +20,7 @@ Here are the available configuration options and their default values: | `database_connection_retries` | 6 | Database connection attempts before giving up. Retries will happen every 5 seconds. | | `database_connection_acquire_timeout_seconds` | 10 | How long to wait when acquiring a database connection from the pool before giving up and returning an error. | | `sqlite_extensions` | | An array of SQLite extensions to load, such as `mod_spatialite` | -| `web_root` | `.` | The root directory of the web server, where the `index.sql` file is located. | +| `web_root` | `.` | The root directory of the web server, where the `index.sql` file is located. Static file serving follows symlinks, so do not place symlinks under `web_root` that point to private paths (such as the `sqlpage/` config directory) or to files outside `web_root`, as their targets would become publicly reachable (see [`SECURITY.md`](./SECURITY.md)). | | `site_prefix` | `/` | Base path of the site. If you want to host SQLPage at `https://example.com/sqlpage/`, set this to `/sqlpage/`. When using a reverse proxy, this allows hosting SQLPage together with other applications on the same subdomain. | | `configuration_directory` | `./sqlpage/` | The directory where the `sqlpage.json` file is located. This is used to find the path to [`templates/`](https://sql-page.com/custom_components.sql), [`migrations/`](https://sql-page.com/your-first-sql-website/migrations.sql), and `on_connect.sql`. Obviously, this configuration parameter can be set only through environment variables, not through the `sqlpage.json` file itself in order to find the `sqlpage.json` file. Be careful not to use a path that is accessible from the public WEB_ROOT | | `allow_exec` | false | Allow usage of the `sqlpage.exec` function. Do this only if all users with write access to sqlpage query files and to the optional `sqlpage_files` table on the database are trusted. |