From 3df8828362cb72409c6012a7d3dcb47c142bdf95 Mon Sep 17 00:00:00 2001 From: hoellen Date: Tue, 25 Jul 2023 06:34:32 +0200 Subject: [PATCH] fix: disable snuffleupagus xxe protection Nextcloud now prevents loading external entities by using libxml_set_external_entity_loader. ref: https://github.com/nextcloud/server/pull/39490 https://github.com/hoellen/docker-nextcloud/issues/42 --- README.md | 2 +- rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5783d86..4f0bf7c 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ Don't run random images from random dudes on the Internet. Ideally, you want to - **Images are scanned every day** by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Known vulnerabilities will be automatically uploaded to [GitHub Security Lab](https://github.com/Wonderfall/docker-nextcloud/security/code-scanning) for full transparency. This also warns me if I have to take action to fix a vulnerability. - **Latest tag/version is automatically built weekly**, so you should often update your images regardless if you're already using the latest Nextcloud version. - **Build production images without cache** (use `docker build --no-cache` for instance) if you want to build your images manually. Latest dependencies will hence be used instead of outdated ones due to a cached layer. -- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including XXE, weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: if that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and [open an issue](https://github.com/hoellen/docker-nextcloud/issues). You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container. +- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: if that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and [open an issue](https://github.com/hoellen/docker-nextcloud/issues). You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container. - **Images are signed with the GitHub-provided OIDC token in Actions** using the experimental "keyless" signing feature provided by [cosign](https://github.com/sigstore/cosign). You can verify the image signature using `cosign` as well: ``` diff --git a/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules index 430d549..26b3497 100644 --- a/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules +++ b/rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules @@ -8,7 +8,7 @@ sp.harden_random.enable(); # Disabled XXE -sp.xxe_protection.enable(); +#sp.xxe_protection.enable(); # Global configuration variables # sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS."); @@ -34,7 +34,7 @@ sp.sloppy_comparison.enable(); # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery sp.cookie.name("PHPSESSID").samesite("lax"); -# Nextcloud whitelist (tested with Nextcloud 25.0.0) +# Nextcloud whitelist (tested with Nextcloud 27.0.1) sp.disable_function.function("function_exists").param("function").value("proc_open").filename("/nextcloud/3rdparty/symfony/console/Terminal.php").allow(); sp.disable_function.function("function_exists").param("function").value("exec").filename("/nextcloud/lib/private/legacy/OC_Helper.php").allow(); sp.disable_function.function("function_exists").param("function").value("exec").filename("/nextcloud/lib/public/Util.php").allow();