Welcome Guest, Not a member yet? Register   Sign In
Let's make auto routes disable
#11

If we would disable auto-routing by default since v4.2.0.
the config file is located in app/Config/, so existing projects do not affected.

We don't need to wait for v5.0, do we?
Reply
#12

(02-26-2022, 03:04 AM)kenjis Wrote: If we would disable auto-routing by default since v4.2.0.
the config file is located in app/Config/, so existing projects do not affected.

We don't need to wait for v5.0, do we?

good to here that
Codeigniter First, Codeigniter Then You!!
yekrinaDigitals

Reply
#13

I sent a PR to disable auto-routing by default:
https://github.com/codeigniter4/CodeIgniter4/pull/5757
Reply
#14

Thanks @kenjis
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#15

(02-21-2022, 07:45 PM)kenjis Wrote: Auto routes are really dangerous. It could make vulnerabilities in your app very easily.
I strongly recommend you disable auto routes.

For example, see this tutorial:
https://www.binaryboxtuts.com/php-tutori...ntication/
If you build the tutorial app, an attacker could get list of users without token.

How to disable auto routes:
app/Config/Routes.php
PHP Code:
$routes->setAutoRoute(false); 
See https://codeigniter4.github.io/userguide...outes-only

Why? I really like using it.
Is it because of the JavaScript?
Reply
#16

(This post was last modified: 03-25-2022, 04:21 AM by kenjis.)

(03-24-2022, 11:13 PM)ChicagoPhil Wrote: Why? I really like using it.
Is it because of the JavaScript?

No. JavaScript does not matter.

Auto routing is very dangerous, because it is very difficult to know all routes for human beings.
That is some unexpected routes to developers are automatically created and it may cause vulnerability.

In my experience, around 80% of Login/Auth tutorial articles have vulnerability that can bypass login.

I don't propose to remove the auto routing feature.
I just recommend to disable it, and propose to make it disabled by default.

If a user want to use it, enable it and use it with caution.
Reply
#17

(03-25-2022, 04:15 AM)kenjis Wrote:
(03-24-2022, 11:13 PM)ChicagoPhil Wrote: Why? I really like using it.
Is it because of the JavaScript?

No. JavaScript does not matter.

Auto routing is very dangerous, because it is very difficult to know all routes for human beings.
That is some unexpected routes to developers are automatically created and it may cause vulnerability.

In my experience, around 80% of Login/Auth tutorial articles have vulnerability that can bypass login.

I don't propose to remove the auto routing feature.
I just recommend to disable it, and propose to make it disabled by default.

If a user want to use it, enable it and use it with caution.

I just happen to be working on a login system at the moment myself. I have auto routing on right now. It would be nice to know specifically how one might bypass the login because of a routing feature so that I can keep it on and make sure nobody can bypass it. I don't have the best mind for trying to hack things.

I understand you recommend turning it off as a solution but in my opinion, it shouldn't be a feature at all if it can't be used in a secure manner.

I'm not here to hijack the conversation if it's still ongoing. I'm just trying to get the proper information. I'll probably just turn it off now but I don't understand why other than phantom routing of some sort.
Reply
#18

(This post was last modified: 03-25-2022, 04:52 PM by kenjis.)

@ChicagoPhil Okay, Good question.

See this tutorial:
https://www.binaryboxtuts.com/php-tutori...ntication/

You will create app/Controllers/User.php.

And you will define routes:
PHP Code:
$routes->group("api", function ($routes) {
    $routes->post("register""Register::index");
    $routes->post("login""Login::index");
    $routes->get("users""User::index", ['filter' => 'authFilter']);
}); 

If you will navigate to http://example.com/api/users (defined route), the authFilter will be applied.
But if you will navigate to http://example.com/user/index (auto route), the filter will not be applied.
Reply
#19

(03-25-2022, 04:44 PM)kenjis Wrote: @ChicagoPhil Okay, Good question.

See this tutorial:
https://www.binaryboxtuts.com/php-tutori...ntication/

You will create app/Controllers/User.php.

And you will define routes:
PHP Code:
$routes->group("api", function ($routes) {
    $routes->post("register""Register::index");
    $routes->post("login""Login::index");
    $routes->get("users""User::index", ['filter' => 'authFilter']);
}); 

If you will navigate to http://example.com/api/users (defined route), the authFilter will be applied.
But if you will navigate to http://example.com/user/index (auto route), the filter will not be applied.

So because the routes are defined and auto routing is on, the filter is not executed but this doesn't seem to be a vulnerability in the routing as much as a coding error. I never intended to use the before filter for the library that I'm building. My plan was to get the user status in the base controller constructor and then execute a permissions check in each method by default. That would avoid the pitfalls of using filters or auto routing?
It's the way I did things in CI3. I even added a Core folder to CI4 because I'm a dinosaur that is stuck in my ways. :-)
Reply
#20

(This post was last modified: 03-25-2022, 09:10 PM by kenjis.)

(03-25-2022, 08:08 PM)ChicagoPhil Wrote: My plan was to get the user status in the base controller constructor and then execute a permissions check in each method by default. That would avoid the pitfalls of using filters or auto routing?

Yes. If you protect the controller method directly, I mean you ensure permissions are always checked,
you won't make this vulnerability of auto routing and filters.

If you check the permissions in the controller constructor, it always runs when the controller is created and it can't be bypassed.
PHP language ensures it.

This vulnerability will be created when a controller method is accessible by a way that a developer does not expect,
and there is a way to bypass a checking, e.g. there is another route with no filters.

Another example is CSRF protection bypass.
The CSRF protection is also implemented as a controller filter, and it does not protect GET requests.
It is specification of the CSRF protection.

And auto routes make all controller methods accessible with GET requests.
So if a attacker makes a visitor to send GET request to an important controller method,
CSRF protection never protects.
But if you check the request method in the controller method, CSRF attack never succeed.
See https://codeigniter4.github.io/CodeIgnit...erequisite
Reply




Theme © iAndrew 2016 - Forum software by © MyBB