diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..8c5c440 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,8 @@ +## 2024-05-24 - [CRITICAL] Hardcoded Secret in Nginx Configuration +**Vulnerability:** A hardcoded secret token (`xrpc-9f8e7d6c5b4a`) was found in the `server-php/config/conf.d/wordpress.conf` Nginx configuration file. It was used as a query parameter check (`$arg_token = "xrpc-9f8e7d6c5b4a"`) to bypass the block on the `/xmlrpc.php` endpoint. This exposes the XML-RPC endpoint to anyone who knows or discovers the token, which is committed to the repository. +**Learning:** Nginx configuration files can sometimes contain logic and conditionals (e.g., `if` blocks) that are used for access control. Hardcoding secrets directly in these configuration files is a critical vulnerability because configuration files are often tracked in version control, making the secret visible to anyone with read access to the repository. The environment variable substitution (`envsubst`) was mentioned in comments but not actually implemented in the `server-php` entrypoint, meaning the config is used directly as written. +**Prevention:** +1. **Never hardcode secrets** in Nginx configuration files, or any other tracked configuration files. +2. If an endpoint like `/xmlrpc.php` must be blocked, use an unconditional `deny all;` directive. +3. If access control is necessary, use proper authentication mechanisms (e.g., basic auth with a hashed password file managed outside version control, or upstream application-level authentication) rather than simple token string matching in the web server configuration. +4. If secrets must be injected into configuration at runtime, ensure the startup script (e.g., `entrypoint.sh`) properly utilizes environment variable substitution (like `envsubst`) and that the raw configuration templates tracked in git only contain variable placeholders. diff --git a/developer/Dockerfile b/developer/Dockerfile index fa730aa..f189caa 100644 --- a/developer/Dockerfile +++ b/developer/Dockerfile @@ -106,7 +106,7 @@ RUN composer global config allow-plugins.pestphp/pest-plugin true && \ laravel/pint:^1.0 # FrankenPHP (static binary) -RUN curl -fsSL "https://github.com/dunglas/frankenphp/releases/latest/download/frankenphp-linux-$(uname -m | sed 's/aarch64/arm64/' | sed 's/x86_64/x86_64/')" -o /usr/local/bin/frankenphp && \ +RUN curl -fsSL "https://github.com/dunglas/frankenphp/releases/latest/download/frankenphp-linux-$(uname -m)" -o /usr/local/bin/frankenphp && \ chmod +x /usr/local/bin/frankenphp # ============================================================ diff --git a/server-php/config/conf.d/wordpress.conf b/server-php/config/conf.d/wordpress.conf index 911ff19..4f18d83 100644 --- a/server-php/config/conf.d/wordpress.conf +++ b/server-php/config/conf.d/wordpress.conf @@ -105,28 +105,11 @@ server { access_log off; } - # Block XML-RPC by default, allow with secret token - # Usage: /xmlrpc.php?token=YOUR_XMLRPC_TOKEN + # Unconditionally block XML-RPC location = /xmlrpc.php { - set $xmlrpc_allowed 0; - - # Allow if valid token provided (set in environment or change here) - if ($arg_token = "xrpc-9f8e7d6c5b4a") { - set $xmlrpc_allowed 1; - } - - # Block if no valid token - if ($xmlrpc_allowed = 0) { - return 403; - } - - # Pass to PHP if allowed - try_files $uri =404; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/php-fpm.sock; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_index index.php; - include fastcgi_params; + deny all; + access_log off; + log_not_found off; } # Deny access to hidden files