Title: Security: Default WAC mode changed from permissive to restrictive · Issue #32 · JavaScriptSolidServer/JavaScriptSolidServer · GitHub
Open Graph Title: Security: Default WAC mode changed from permissive to restrictive · Issue #32 · JavaScriptSolidServer/JavaScriptSolidServer
X Title: Security: Default WAC mode changed from permissive to restrictive · Issue #32 · JavaScriptSolidServer/JavaScriptSolidServer
Description: Summary When no ACL file exists for a resource, JSS was previously defaulting to allowing all access (permissive mode). This allowed unauthenticated users to POST arbitrary content to unprotected containers. Attack Vector Attacker sends ...
Open Graph Description: Summary When no ACL file exists for a resource, JSS was previously defaulting to allowing all access (permissive mode). This allowed unauthenticated users to POST arbitrary content to unprotected c...
X Description: Summary When no ACL file exists for a resource, JSS was previously defaulting to allowing all access (permissive mode). This allowed unauthenticated users to POST arbitrary content to unprotected c...
Opengraph URL: https://github.com/JavaScriptSolidServer/JavaScriptSolidServer/issues/32
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Security: Default WAC mode changed from permissive to restrictive","articleBody":"## Summary\n\nWhen no ACL file exists for a resource, JSS was previously defaulting to allowing all access (permissive mode). This allowed unauthenticated users to POST arbitrary content to unprotected containers.\n\n## Attack Vector\n\n1. Attacker sends POST request to any container without an ACL\n2. JSS accepts the request and creates a file with attacker-controlled content\n3. This was observed in the wild with Next.js RCE exploit payloads (CVE-2024-34351 style attacks)\n\n## Fix\n\nChanged default behavior in `src/wac/checker.js`:\n- **Before**: No ACL = allow all access\n- **After**: No ACL = deny all access\n\n## Fixed in\n\nCommit f43ecdf\n\n## Action Required for Deployers\n\nEnsure a root `.acl` file exists in your data directory. Example (JSON-LD format):\n\n```json\n{\n \"@context\": {\n \"acl\": \"http://www.w3.org/ns/auth/acl#\",\n \"foaf\": \"http://xmlns.com/foaf/0.1/\"\n },\n \"@graph\": [\n {\n \"@id\": \"#owner\",\n \"@type\": \"acl:Authorization\",\n \"acl:agent\": { \"@id\": \"https://your-domain.com/profile/card#me\" },\n \"acl:accessTo\": { \"@id\": \"https://your-domain.com/\" },\n \"acl:default\": { \"@id\": \"https://your-domain.com/\" },\n \"acl:mode\": [\n { \"@id\": \"acl:Read\" },\n { \"@id\": \"acl:Write\" },\n { \"@id\": \"acl:Control\" }\n ]\n },\n {\n \"@id\": \"#public\",\n \"@type\": \"acl:Authorization\",\n \"acl:agentClass\": { \"@id\": \"foaf:Agent\" },\n \"acl:accessTo\": { \"@id\": \"https://your-domain.com/\" },\n \"acl:default\": { \"@id\": \"https://your-domain.com/\" },\n \"acl:mode\": [\n { \"@id\": \"acl:Read\" }\n ]\n }\n ]\n}\n```\n\n## Labels\n\nsecurity, breaking-change","author":{"url":"https://github.com/melvincarvalho","@type":"Person","name":"melvincarvalho"},"datePublished":"2026-01-03T17:06:36.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/32/JavaScriptSolidServer/issues/32"}| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:1b1d04fa-92a5-50de-1773-5bce37219315 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 9BCE:1A3A28:69BDED2:8949988:6975688D |
| html-safe-nonce | 552c3844f5dd3d2ced794163c9bb980bb085532c6a6aed98b880f33ad109560f |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI5QkNFOjFBM0EyODo2OUJERUQyOjg5NDk5ODg6Njk3NTY4OEQiLCJ2aXNpdG9yX2lkIjoiMzgyMzE2NTE0ODg5MzYzNjc0OSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 73987bf992ea9a5cd3880525a17d35be713b83b944b7aa3a06c37b87405314b5 |
| hovercard-subject-tag | issue:3778276189 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/JavaScriptSolidServer/JavaScriptSolidServer/32/issue_layout |
| twitter:image | https://opengraph.githubassets.com/4c7fa092c683e36cb5d1f9f5cb18ec480e61e9269ae7fd1fdbb8dcdc403af66d/JavaScriptSolidServer/JavaScriptSolidServer/issues/32 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/4c7fa092c683e36cb5d1f9f5cb18ec480e61e9269ae7fd1fdbb8dcdc403af66d/JavaScriptSolidServer/JavaScriptSolidServer/issues/32 |
| og:image:alt | Summary When no ACL file exists for a resource, JSS was previously defaulting to allowing all access (permissive mode). This allowed unauthenticated users to POST arbitrary content to unprotected c... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | melvincarvalho |
| hostname | github.com |
| expected-hostname | github.com |
| None | 4a4bf5f4e28041a9d2e5c107d7d20b78b4294ba261cab243b28167c16a623a1f |
| turbo-cache-control | no-preview |
| go-import | github.com/JavaScriptSolidServer/JavaScriptSolidServer git https://github.com/JavaScriptSolidServer/JavaScriptSolidServer.git |
| octolytics-dimension-user_id | 205442424 |
| octolytics-dimension-user_login | JavaScriptSolidServer |
| octolytics-dimension-repository_id | 958025407 |
| octolytics-dimension-repository_nwo | JavaScriptSolidServer/JavaScriptSolidServer |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 958025407 |
| octolytics-dimension-repository_network_root_nwo | JavaScriptSolidServer/JavaScriptSolidServer |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 488b30e96dfd057fbbe44c6665ccbc030b729dde |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width