fix(cve): display security disclaimer when debug mode is active (#540)

eveseat · Jan 13, 2021 · 575d245 · 575d245
1 parent 28182d9
commit 575d245
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/src/resources/lang/en/seat.php b/src/resources/lang/en/seat.php
@@ -157,6 +157,7 @@
     'characters_in_group'   => 'Character in group|Characters in group',
 
     // Notifications
+    'critical'              => 'Critical',
     'error'                 => 'Error',
     'success'               => 'Success',
     'warning'               => 'Warning',

diff --git a/src/resources/views/layouts/app.blade.php b/src/resources/views/layouts/app.blade.php
@@ -76,6 +76,42 @@
       <section class="content">
         <div class="container-fluid">
 
+          <!-- Disclaimer Configuration Alerts -->
+          @if(config('app.debug', false))
+            @can('global.superuser')
+              <div class="alert alert-danger" role="alert">
+                <h4 class="alert-heading"><i class="fas fa-bug"></i> {{ trans('web::seat.critical') }} !</h4>
+
+                <p>
+                  It appears you're using <b>debug mode</b>.<br/>
+                  This setting can result in a security outage for your overall system by disclosing confidential
+                  and critical information.
+                </p>
+                <p>
+                  Depending on case, it even allow user to execute malicious code on your server and
+                  alter at least SeAT codebase by exploiting backdoors.
+                </p>
+
+                <hr/>
+
+                <p>
+                  If you're not using it, you <b>SHOULD</b> disable it right now !<br/>
+                  To do so, edit your <kbd>.env</kbd> file and replace the value of <kbd>APP_DEBUG</kbd> from <kbd>true</kbd> to <kbd>false</kbd>.<br/>
+                  Once done, ensure cached configuration is up-to-date by executing <kbd>php artisan config:cache</kbd>.
+                </p>
+              </div>
+            @else
+              <div class="alert alert-warning" role="alert">
+                <h4 class="alert-heading"><i class="fas fa-bug"></i> {{ trans('web::seat.critical') }} !</h4>
+
+                <p>
+                  There are some important information which require an update.<br/>
+                  Please contact your administrator as soon as possible and ask him to connect to SeAT using an administrator account.
+                </p>
+              </div>
+            @endif
+          @endif
+
           <!-- Notifications -->
           @include('web::includes.notifications')