Skip to content

Commit b9dd4b2

Browse files
keulinhoCopilotIsengo1989
authored
Chore: clarify security notes on ACL and underlying tech (#2211)
* Chore: clarify security notes on ACL and underlying tech * Update resources/references/security.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update resources/references/security.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update resources/references/security.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update resources/references/security.md * Update resources/references/security.md * Update resources/references/security.md * fix/spellcheck --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Micha Hobert <m.hobert@shopware.com>
1 parent 88eb689 commit b9dd4b2

1 file changed

Lines changed: 10 additions & 2 deletions

File tree

resources/references/security.md

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,10 @@ If you have found a security vulnerability in Shopware, please report it to us f
1919

2020
The Access Control List (ACL) in Shopware ensures that by default, data can only be created, read, updated, or deleted (CRUD), once the user has specific privileges for a module. [ACL in the Administration](../../concepts/framework/architecture/administration-concept#acl-in-the-administration)
2121

22-
## API aware field
22+
Issues in the ACL permission validation are generally treated as bugs. They are not considered security vulnerabilities by themselves, as long as the missing or incorrect permission check does not result in privilege escalation, unauthorized access to sensitive data, or similar severe consequences.
23+
This is because, in such cases, malicious actors would already need to be authenticated with access to the Administration (or an authenticated Admin API context).
24+
25+
## API-aware field
2326

2427
The `ApiAware` flag allows you to control what fields of your entity are exposed to the Store API. For more information, refer to [Flags Reference](core-reference/dal-reference/flags-reference).
2528

@@ -79,4 +82,9 @@ To enable access even during maintenance mode, IP addresses can be added to [Sto
7982

8083
## SQL injection
8184

82-
SQL injection allows an attacker to execute new or modify existing SQL statements to access information that they are not allowed to access. By mainly using our own [Data Abstraction Layer](/docs/concepts/framework/data-abstraction-layer.html), that does not expose SQL directly, most of the SQL injection attack vectors are prevented. Whenever direct SQL is being used, the [best practices from Doctrine DBAL](https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/security.html) are followed to ensure proper escaping of user input.
85+
SQL injection allows an attacker to execute new or modify existing SQL statements to access information that they are not allowed to access. Shopware primarily uses our own [Data Abstraction Layer](../../concepts/framework/data-abstraction-layer.md), which does not expose SQL directly, so most SQL injection attack vectors are prevented. Whenever direct SQL is being used, the [best practices from Doctrine DBAL](https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/security.html) are followed to ensure proper escaping of user input.
86+
87+
## Exposing underlying technology
88+
89+
Some features intentionally expose the underlying technology upon which they are built. For example, the underlying Twig templating system is exposed when the user provides mail templates, SEO URL templates, or Product Export templates. Similarly, direct CSS access is exposed over the theme configuration.
90+
If a user has the required ACL permissions for these features, they also gain access to the underlying technology behind them. Because of that, you should only grant these permissions to users who are trusted to work with these capabilities and understand their impact.

0 commit comments

Comments
 (0)