feat: Expanded os files list#4536
Conversation
|
📊 Quantitative test results for language: |
EsadCetiner
left a comment
There was a problem hiding this comment.
Just going through the list, I can clearly see multiple files that are not relevant to web applications. Who installs Steam, a game launcher on a server? Most of these entries here are not relevant to web apps. You also need to sync the changes here to restricted-files.data and restricted-upload.data
EsadCetiner
left a comment
There was a problem hiding this comment.
I'm still seeing a ton of issues with this PR, can you please go through this and look for duplicate entries and remove anything that's not relevant for a server?
Co-authored-by: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
Co-authored-by: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
Co-authored-by: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
Co-authored-by: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
Co-authored-by: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
Co-authored-by: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
Co-authored-by: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
| # Flatpak dir | ||
| .var/ | ||
| # LibreWolf config dir | ||
| .librewolf |
There was a problem hiding this comment.
Again, this is not relevant for a server. Think of the actual impact of accessing such a file and whether this is actually something you'd see in the wild. All your doing is increasing the risk of false positives without improving security.
Co-authored-by: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
Co-authored-by: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
Co-authored-by: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
|
I fixed those, I will no longer add anything |
EsadCetiner
left a comment
There was a problem hiding this comment.
Everything looks good, there's just one duplicate entry.
This won't make it into the LTS due to the amount of new entries being added which further heightens the risk of false positives.
Co-authored-by: Esad Cetiner <104706115+EsadCetiner@users.noreply.github.com>
|
Ok @EsadCetiner, I agree but we can add it to LTS, But only if you tested is any FPs |
|
I'm afraid I'll agree this massive list change won't make it to LTS. Too risky. But we can merge next week for the latest and greatest version! 💪 |
|
yes @fzipi, I agree with you |
|
but wait, there a some very important entries that need backported like linode and mysql creds to LTS is the one, we need to backport, @EsadCetiner, other stuff not, because creds is the dangerous information, the attacker should not get for anything, only dirs contain creds will be backported to LTS else not, Because getting linode creds, linode a widely used cloud provider, the linode cli contain authentication details, if an attacker gain an access to them, that is a total control of linode. |
Proposed changes
Expanded os files list to cover all critical and app files that are not previously blocked, And importantly critical change here added the mysql login file and linode cli dir and oracle cloud cli dir those contain extremly senstive content.
PR Checklist
For the reviewer
ctl:requestBodyAccess=Offwere used in the rule