Potential security problem with the snitch plugin

While the snitch plugin: GitHub - bleutzinn/grav-plugin-snitch: Exposes user information in Twig from @bleutzinn is a very useful tool for development purposes, I discovered a pattern of use which can unexpectedly reveal all a website’s parameters, including all the user details and possibly sensitive information to the internet. This stems from the default snitch setting “enabled: true”.

  1. Build a Grav website
  2. Install the snitch plugin
  3. Create an environment configuration area under user/ eg. user/localhost
  4. Create an environment configuration for the main production website, eg. user/www.widgets.com
  5. Disable the snitch plugin on the www.mydomain.com environment

Note that although the snitch plugin is now apparently disabled on the production website, it is enabled in the localhost and default settings. Many hosting arrangements will permit requests to mydomain.com as well as to www.mydomain.com. http://mydomain.com will use the default settings so internet browsers accessing http://mydomain.com will see all the Grav parameters.

I suggest that the snitch source setting be changed to “enabled: false” to avoid this scenario. Users should be advised to enable the plugin for their specific dev environment, but not in the default settings. It is generally good security practice to have default settings for parameters which could be security concerns to “disabled”.


Topic is cross-post from this issue at the repo of plugin Snitch: Recommend setting default enabled setting to false · Issue #1 · bleutzinn/grav-plugin-snitch · GitHub

Please follow discussion at repo.