bug: Risk of leaking the scan result files

[psyray]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Submitted by @confd0

The huntr.com link for reNgine is down, and email is not responsed. so I put it here.

I just install reNgine v2.0.3 and find a nginx config file: https://github.com/yogeshojha/rengine/blob/f362189c9b253fd38c7c17c08e5cfc87aee0bfaf/config/nginx/rengine.conf

look like I can read any scan results file from other rengine site if I know the file names, and the files names can be brute force:

Expected Behavior

non-login user should not have privilege to read scan result files

Steps To Reproduce

brute force https://rengine_example.com/media/<domain>_<int>/subdomains_sublister.txt , change <domain> and <int> to fuzz.

Environment

- reNgine: 2.0.3
- OS: Linux
- Python: 
- Docker Engine: 
- Docker Compose: 
- Browser:

Anything else?

No response

[Talanor]

To go further, if we implement user scopes by project (as planned), even logged in users shouldn't have access to all report files.
This needs further reflection, but maybe the files shouldn't be served as static files but be served behind a view with a permission decorator ?

[psyray]

To go further, if we implement user scopes by project (as planned), even logged in users shouldn't have access to all report files. This needs further reflection, but maybe the files shouldn't be served as static files but be served behind a view with a permission decorator ?

Yes you're right, this issue need more reflection as we will implement ACL
To address quickly this issue, I think using an UUID, instead of the scan_id, for the folder name, could be a good workaround while we working on a more complete solution

[psyray]

Done