[GOVCMS-13132] Allow SAML assets in Nginx rules. #512
Conversation
barbun
changed the title
|
Hi @barbun, thanks for raising this question and for the PR. The way SimpleSAMLphp deploys public assets is a bit unusual. The public/assets directory in the main repository is just an empty placeholder (see: https://github.com/simplesamlphp/simplesamlphp/tree/master/public/assets). Instead of shipping assets directly, SimpleSAMLphp relies on a Composer plugin called composer-module-installer to install “asset modules” that contain the pre-built JS/CSS files. For example, the simplesamlphp-assets-base package (https://github.com/simplesamlphp/simplesamlphp-assets-base) contains the core assets. This means that in order for assets to be deployed into public/assets/, the composer-module-installer plugin must be enabled. If the plugin is disabled, no asset (JS or CSS files) will be installed. For security reasons, GovCMS explicitly disables the composer-module-installer plugin (see: https://github.com/govCMS/lagoon/blob/3.x-develop/composer.json#L44). So even if we loosen the Nginx rules as this PR proposed, the required JS and CSS for the post form still won’t exist in the file system, because the asset modules were never installed. |
|
That's right, I should have mentioned that the below PR needs to be merged in for this rule to have a meaningful effect: My security assessment did not indicate any harm in allowing |
2 participants
Issue
Current Nginx rules are very narrow and do not allow assets from
SimpleSAMLphplibrary to be loaded. These assets are needed when e.g. using HTTP-POST binding that creates an intermediary page with a form to ensure that the form gets auto-submitted. When missing, the users get stuck on that intermediary page having to manually submit the form.Proposed solution
Open up the Nginx rules to allow
public/assets/path fromsimplesamlphplibrary. That path is meant to be public by design and does not include any php or secrets but only some fonts, js and css.