Summary
All Filament features that interact with storage use the default_filesystem_disk
config option. This allows the user to easily swap their storage driver to something production-ready like s3
when deploying their app, without having to touch multiple configuration options and potentially forgetting about some.
The default disk is set to public
when you first install Filament, since this allows users to quickly get started developing with a functional disk that allows features such as file upload previews locally without the need to set up an S3 disk with temporary URL support.
However, some features of Filament such as exports also rely on storage, and the files that are stored contain data that should often not be public. This is not an issue for the many deployed applications, since many use a secure default disk such as S3 in production. However, CWE-1188 suggests that having the public
disk as the default disk in Filament is a security vulnerability itself:
Developers often choose default values that leave the product as open and easy to use as possible out-of-the-box, under the assumption that the administrator can (or should) change the default value. However, this ease-of-use comes at a cost when the default is insecure and the administrator does not change it.
As such, we have implemented a measure to protect users whereby if the public
disk is set as the default disk, the exports feature will automatically swap it out for the local
disk, if that exists. Users who set the default disk to local
or s3
already are not affected. If a user wants to continue to use the public
disk for exports, they can by setting the export disk deliberately.
Details
Product: filament/actions
Version: >=3.2
CWE-ID:CWE-1188: Initialization of a Resource with an Insecure Default
Description: The default configuration saves export files to a public disk, allowing unauthorized users to download exported data.
Impact: Reading export files without access control
Vulnerable component:
https://github.com/filamentphp/filament/blob/3.x/packages/actions/src/Exports/Exporter.php#L144-L153
Exploitation conditions: Unauthorized user
Researcher: Vladislav Gladky (Positive Technologies)
Summary
All Filament features that interact with storage use the
default_filesystem_disk
config option. This allows the user to easily swap their storage driver to something production-ready likes3
when deploying their app, without having to touch multiple configuration options and potentially forgetting about some.The default disk is set to
public
when you first install Filament, since this allows users to quickly get started developing with a functional disk that allows features such as file upload previews locally without the need to set up an S3 disk with temporary URL support.However, some features of Filament such as exports also rely on storage, and the files that are stored contain data that should often not be public. This is not an issue for the many deployed applications, since many use a secure default disk such as S3 in production. However, CWE-1188 suggests that having the
public
disk as the default disk in Filament is a security vulnerability itself:As such, we have implemented a measure to protect users whereby if the
public
disk is set as the default disk, the exports feature will automatically swap it out for thelocal
disk, if that exists. Users who set the default disk tolocal
ors3
already are not affected. If a user wants to continue to use thepublic
disk for exports, they can by setting the export disk deliberately.Details
Product: filament/actions
Version: >=3.2
CWE-ID:CWE-1188: Initialization of a Resource with an Insecure Default
Description: The default configuration saves export files to a public disk, allowing unauthorized users to download exported data.
Impact: Reading export files without access control
Vulnerable component:
https://github.com/filamentphp/filament/blob/3.x/packages/actions/src/Exports/Exporter.php#L144-L153
Exploitation conditions: Unauthorized user
Researcher: Vladislav Gladky (Positive Technologies)