With the release of Laravel Nova, I've seen a lot of new packages being created for it this week. Unfortunately not all of them have been built with what I would consider to be basic security considerations in mind.
With that in mind, I thought that I would try to outline what you definitely shouldn't be doing in a Nova package. Also, please note that my intention with this post is not to call out any one package, or any one package developer.
If I mention a pattern or function which your package utilises, do not take offence, but do please re-evaluate the reasonings behind your package and see if you're able to make it bulletproof.
We must remember that Nova is an administration tool which is web accessible. As much effort as has been made to make the system secure, it is also prudent to remember that no system is ever truly secure. To draw a parallel, even the most popular web based database administration tool, phpMyAdmin was compromised in January of this year. The lesson? Nothing is infallible.
As such, Nova shouldn't be treated as a "do everything in one place" tool, which will be frustrating to some as it is more than capable of becoming that.
Two examples of packages that I've seen which have set off my "spidey senses" with regards to security considerations are:
- A package which allows direct database queries within Nova itself.
- A package which exposes your Laravel Environment File at the click of a button.
Both of which I consider to be extremely dangerous tools. There are a multitude of reasons why, including but not limited to:
- XSS attack vector
- SQL Injection
- Cross Site Request Forgery
- Password Reuse across different sites, leaked from a data breach
Laravel does it's best to protect you from most of these but they are all easily disabled within Laravel itself. If an attacker gains access to Nova through any of the above attack vectors, they have instant access to your database credentials at best and your production Stripe API keys and users personal data (last 4 digits of card, email address, hashed passwords) at worst.
While these tools can be useful, they do not belong within a web based administration panel.
I firmly believe that Laravel Nova has created a blossoming new ecosystem, and I am excited for where it takes us. Nowhere else is this more clear than on novapackages.com by Tighten. However, any ecosystem is much like a garden; it must be tended to carefully lest the weeds take root and spread.
As developers, we are often the last line of defence against bad and immoral practises. We should be promoting best practices, and we have a duty to point others in the right direction.