Package Instance

Decidim's comments API allows access to all commentable resources
### Impact

The root level `commentable` field in the API allows access to all
commentable resources within the platform, without any permission
checks. All Decidim instances are impacted that have not secured
the `/api` endpoint. The `/api` endpoint is publicly available
with the default configuration.

### Patches

Not available

### Workarounds

To mitigate the issue, you can limit the scope to only authenticated
users by limiting access to the `/api` endpoint. This would require
custom code or installing the 3rd party module `Decidim::Apiauth`.

With custom code, the `/api` endpoint can be limited to only
authenticated users with the following code (needs to run during
application initialization):

```ruby
# Within your application
# config/initializers/limit_api_access.rb

module LimitApiAccess
  extend ActiveSupport::Concern

  included do
    prepend_before_action do |controller|
      unless controller.send(:user_signed_in?)
        render plain: I18n.t("actions.login_before_access",
          scope: "decidim.core"), status: :unauthorized
      end
    end
  end
end

Rails.application.config.to_prepare do
  Decidim::Api::ApplicationController.include(LimitApiAccess)
end
```

Please note that this would only disable public access to the API
and all authenticated users would be still able to exploit the
vulnerability. This may be sufficient for some installations,
but not for all.

Another workaround is to limit the availability of the `/api` endpoint
to only trusted ranges of IPs that need to access the API. The
following Nginx configuration would help limiting the API access
to only specific IPs:

```
location /api {
  allow 192.168.1.100;
  allow 192.168.1.101;
  deny all;
}
```

The same configuration can be also used without the `allow`
statements to disable all traffic to the the `/api` endpoint.

When considering a workaround and the seriousness of the vulnerability,
please consider the nature of the platform. If the platform is primarily
serving public data, this vulnerability is not serious by its nature.
If the platform is protecting some resources, e.g. inside private
participation spaces, the vulnerability may expose some data to
the attacker that is not meant public.

If you have enabled the organization setting "Force users to
authenticate before access organization", the scope of this
vulnerability is limited to the users who are allowed to log in
to the Decidim platform. This setting was introduced in version
0.19.0 and it was applied to the `/api` endpoint in version 0.22.0.