All page files are publicly accessible with the suggested server configuration

[andrigamerita]

Hello,
in trying HTMLy a bit on my server (nginx), I noticed something that I feel is probably a security oversight. Since it concerns web server configuration, and not the program itself, I'm reporting it here.

While the basic configurations for web servers provided in this documentation (https://docs.htmly.com/web-servers) ensure configuration files for the program are properly protected against access from the Internet, I found out that content that should be private is, in fact, not kept as such.
Specifically, the entire /content/ directory of the website is allowed to be accessed from the Internet, when using the basic provided configuration. This includes all source Markdown files for posts and pages and, specifically, drafts and programmed posts, which in theory only admins and editors should be able to read.

To me this appears to be a security hole, since it means that effectively anyone can download and read posts that they shouldn't be able to. Provided they know the URL or are able to bruteforce it, which can happen in a number of situations, it's as simple as requesting http://<website>/content/<username>/blog/<category>/draft/<post-slug>.md.
As far as I can see, there's no technical reason for these files to be exposed to the public, so I believe a rule should be added to the sample server configurations, to take care of blocking access to the relevant files, inside /content/.
Given that posts are grouped in directories named as the users, however, it's kind of tricky to block folders, because we would need to block ALL subdirectories in there, EXCEPT those required to be accessible from the Internet, for example /content/images/. Luckily I think that just blocking access to .md files, instead of directories, like is already being done for .ini files, should solve the issue and cause no collateral problems.

Thanks!

[andrigamerita]

I also just now noticed that the /content/data/search.json file includes contents for all posts, even the unpublished ones as said which, again, shouldn't be readable by just any user, and yet the file is accessible from the Internet with the suggested web server configuration.

Assuming there is no JavaScript or other client-side code that needs access to that file (or the other ones in /content/data/, for that matter), the quickest and surest way to fix this would be to also add a rule for blocking access to .json files in the web server, and thus to the example configuration.
What do you think?

[danpros]

Hello,

Thank you for your input.

Yes, currently the example configuration for server settings is still very basic, only blocking the most important files. Perhaps the most appropriate solution is to block all access to .md files and block access to the content/data folder.

  # Block access to .ini and .md files.
  location ~\.(ini|md)$ {
    deny all;
    return 404;
  }

  # Block access to the content/data folder.
  location /content/data/ {
    deny all;
    return 403;
  }

It seems that the additional config above is enough to protect files that should not be accessible to the public.

Edit: already update the example: https://docs.htmly.com/web-servers/nginx

[andrigamerita]

Hello again,
I just tested the new configuration on nginx, and it indeed works to protect Markdown files.
However, files inside the /content/data/ folder don't seem to be blocked.

I asked Copilot and it gave me a slightly different configuration, which I tried and seems to work as intended, so it would be appropriate to fix the documentation once again as follows:

location ~* ^/content/data/.*|.*\.(ini|md)$ {
    deny all;
    return 403;
}

At this point we should also verify that the configuration is correct for Apache and Lighttpd too, even if by looking at them they appear correct, just to be safe.