Description
Symfony version(s) affected: 4.4.16
Description
In my security.yaml, I had added a comment under the access_control entries. My editor automatically prepended the line with a dash, which I didn't notice. Suddenly my acceptance tests started failing and my application started to behave weirdly.
After hours of debugging and figuring out why the AccessListener wasn't throwing an AccessDenied exception anymore when logged out, I finally found the problematic line in the security.yml.
I think this is a big issue, because this tiny typo opened up my entire application to the public. I think there should be some kind of validation on the access_control lines, it should at least have an object with a path on the line, or something like that. See below for an easy reproduction:
How to reproduce
access_control:
# This makes the logout route available during two-factor authentication, allows the user to cancel
- { path: ^/logout, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/reset-password, role: IS_AUTHENTICATED_ANONYMOUSLY }
- # some comment about what is happening here
- { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
- { path: ^/login_check, role: IS_AUTHENTICATED_FULLY }
- { path: ^/admin, roles: ROLE_ADMIN_MENU }
- { path: ^/support, roles: ROLE_NO_ACCESS }
- { path: ^/bewind, role: ROLE_SOMEROLE }
- { path: ^/(meldingen|profile), roles: ROLE_USER}
- { path: ^/(?!login|logout|login_check|api), roles: ROLE_SOMEOTHERROLE }If you now logout, the security listeners will not throw an access denied exception and will not redirect you to /login, therefore all security lines AFTER the comment will not be adhered to and are fully accessible by an anonymous user.
Possible Solution
Validation on the access_control lines, it should at least contain an object with the "path" key (I guess?)