Welcome Guest, Not a member yet? Register   Sign In
Let's make auto routes disable

(03-25-2022, 09:10 PM)kenjis Wrote:
(03-25-2022, 08:08 PM)ChicagoPhil Wrote: My plan was to get the user status in the base controller constructor and then execute a permissions check in each method by default. That would avoid the pitfalls of using filters or auto routing?

Yes. If you protect the controller method directly, I mean you ensure permissions are always checked,
you won't make this vulnerability of auto routing and filters.

If you check the permissions in the controller constructor, it always runs when the controller is created and it can't be bypassed.
PHP language ensures it.

This vulnerability will be created when a controller method is accessible by a way that a developer does not expect,
and there is a way to bypass a checking, e.g. there is another route with no filters.

Another example is CSRF protection bypass.
The CSRF protection is also implemented as a controller filter, and it does not protect GET requests.
It is specification of the CSRF protection.

And auto routes make all controller methods accessible with GET requests.
So if a attacker makes a visitor to send GET request to an important controller method,
CSRF protection never protects.
But if you check the request method in the controller method, CSRF attack never succeed.
See https://codeigniter4.github.io/CodeIgnit...erequisite

That's helpful information right there. That might have slipped by me. I am getting a message that the getMethod method is deprecated but I just made up a method to run a check. Good deal!
Thanks again.

(03-26-2022, 12:16 AM)ChicagoPhil Wrote: I am getting a message that the getMethod method is deprecated but I just made up a method to run a check.

The getMethod() is not deprecated. The $upper functionality is deprecated.
See https://github.com/codeigniter4/CodeIgni...st.php#L89

Thank you to everyone who submitted comments.

The PR was merged into the develop branch.
Since v4.2.0, the auto-routing is disabled by default.

(This post was last modified: 02-08-2023, 06:53 PM by sneakyimp.)

(03-25-2022, 04:15 AM)kenjis Wrote: Auto routing is very dangerous, because it is very difficult to know all routes for human beings.
That is some unexpected routes to developers are automatically created and it may cause vulnerability.

In my experience, around 80% of Login/Auth tutorial articles have vulnerability that can bypass login.

That sounds like a problem with the tutorials rather than an inherent problem with CodeIgniter.

I don't like defining tons of routes, and much prefer to use autorouting, and frequently make use of the _remap function because it's quite useful when one is tweaking urls for SEO. If you have a controller and all of its methods should require some level of authentication, you can make a special AdminController whose init or constructor checks to make sure the user is authorized. If you have one or two methods in a controller that require authentication, it's quite easy to define an authentication-checking fn in your own base controller and expressly call it in any method that needs it.

I'd very much like to know more about how autorouting introduces security problems. Can anyone give more detail rather than simply linking a tutorial that has a security hole?

(03-25-2022, 04:44 PM)kenjis Wrote: @ChicagoPhil Okay, Good question.

See this tutorial:

You will create app/Controllers/User.php.

And you will define routes:
PHP Code:
$routes->group("api", function ($routes) {
    $routes->get("users""User::index", ['filter' => 'authFilter']);

If you will navigate to http://example.com/api/users (defined route), the authFilter will be applied.
But if you will navigate to http://example.com/user/index (auto route), the filter will not be applied.

This seems like a problem with using filters to enforce authentication rather than an autorouting problem. Just enforce the authentication in the controller or the method.

(This post was last modified: 02-08-2023, 07:08 PM by kenjis.)

@sneakyimp If you never use controller filters, there is no risk.
probably there are few risks.
But if you use CI4's CSRF protection, you are using controller filters.

See https://blog-a--way--out-net.translate.g...r_pto=wapp

Theme © iAndrew 2016 - Forum software by © MyBB