Security: Default WAC mode changed from permissive to restrictive

Summary

When no ACL file exists for a resource, JSS was previously defaulting to allowing all access (permissive mode). This allowed unauthenticated users to POST arbitrary content to unprotected containers.

Attack Vector

Attacker sends POST request to any container without an ACL
JSS accepts the request and creates a file with attacker-controlled content
This was observed in the wild with Next.js RCE exploit payloads (CVE-2024-34351 style attacks)

Fix

Changed default behavior in src/wac/checker.js:

Before: No ACL = allow all access
After: No ACL = deny all access

Fixed in

Commit f43ecdf

Action Required for Deployers

Ensure a root .acl file exists in your data directory. Example (JSON-LD format):

{
  "@context": {
    "acl": "http://www.w3.org/ns/auth/acl#",
    "foaf": "http://xmlns.com/foaf/0.1/"
  },
  "@graph": [
    {
      "@id": "#owner",
      "@type": "acl:Authorization",
      "acl:agent": { "@id": "https://your-domain.com/profile/card#me" },
      "acl:accessTo": { "@id": "https://your-domain.com/" },
      "acl:default": { "@id": "https://your-domain.com/" },
      "acl:mode": [
        { "@id": "acl:Read" },
        { "@id": "acl:Write" },
        { "@id": "acl:Control" }
      ]
    },
    {
      "@id": "#public",
      "@type": "acl:Authorization",
      "acl:agentClass": { "@id": "foaf:Agent" },
      "acl:accessTo": { "@id": "https://your-domain.com/" },
      "acl:default": { "@id": "https://your-domain.com/" },
      "acl:mode": [
        { "@id": "acl:Read" }
      ]
    }
  ]
}

Labels

security, breaking-change