Skip to content

Fix critical security vulnerability: Move SQLite database outside webroot#738

Merged
sstidl merged 7 commits into
masterfrom
copilot/fix-sqlite-db-path-issue
Dec 17, 2025
Merged

Fix critical security vulnerability: Move SQLite database outside webroot#738
sstidl merged 7 commits into
masterfrom
copilot/fix-sqlite-db-path-issue

Conversation

Copilot AI commented Dec 17, 2025

Copy link
Copy Markdown
Contributor

Fix Critical Security Vulnerability in SQLite Database Path

  • Change SQLite database path from __DIR__ . '/speedtest_telemetry.db' to __DIR__ . '/../../speedtest_telemetry.db' in results/telemetry_settings.php
  • Verify the change moves the database outside the web-accessible directory
  • Ensure all validation improvements from PR Fix SQLite database path to resolve "unable to open database file" error #736 are preserved (directory checks, error messages)
  • Test the configuration to ensure it works correctly
  • Run code review to validate the fix
  • Run security scanning with CodeQL
  • Update documentation with comprehensive security guidance
  • Address code review feedback on documentation clarity
  • Clarify database file creation timing in verification step

Summary

This PR fixes the critical security vulnerability introduced in PR #736 by changing the SQLite database path from inside the web-accessible results/ directory to two directories up, placing it outside the webroot when properly configured.

Security Impact

Before (Vulnerable): Database at results/speedtest_telemetry.db - directly downloadable via web
After (Secure): Database at ../../speedtest_telemetry.db - outside webroot when properly configured

What Changed

  1. Security fix in results/telemetry_settings.php (commit 5622fe1)

    • Database path changed from __DIR__ . '/speedtest_telemetry.db' to __DIR__ . '/../../speedtest_telemetry.db'
  2. Comprehensive security documentation in doc.md (commits f5f0e0e, ca3b1aa, 1c29f46, 406a1c0, latest)

    • Explains the secure default path design
    • Critical: Documents web server configuration requirements (document root must be the application directory)
    • Provides alternative solution using absolute paths for maximum security
    • Includes verification steps with clarification about database creation timing
    • Covers different deployment scenarios
    • Clear, complete examples with proper file paths
  3. Code documentation in docker/entrypoint.sh (commit f5f0e0e)

    • Added comments explaining Docker's secure path override

What Was Preserved

The fix has been tested and comprehensively documented with clear security guidance.

Original prompt

Critical Security Issue

PR #736 introduced a critical security vulnerability by changing the SQLite database path from ../../speedtest_telemetry.sql to __DIR__ . '/speedtest_telemetry.db'.

This places the database file inside the web-accessible results/ directory, allowing anyone to directly download the entire database by accessing:

https://example.com/results/speedtest_telemetry.db

This exposes:

  • All IP addresses (regardless of redaction settings in the code)
  • Complete test results and performance data
  • Timestamps, ISP information, and geolocation data
  • Any other telemetry stored in the database

Required Fix

Change line 13 in results/telemetry_settings.php:

Current (VULNERABLE):

$Sqlite_db_file = __DIR__ . '/speedtest_telemetry.db';

Required (SECURE):

$Sqlite_db_file = __DIR__ . '/../../speedtest_telemetry.db';

Why Two Directories Up?

According to the installation documentation (doc.md, line 43-44), users deploy the application like this:

  • Copy files to webroot: /var/www/html/speedtest/
  • This includes: index.html, speedtest.js, backend/, results/, etc.

The file structure is:

/var/www/html/speedtest/          <- webroot (web-accessible)
├── index.html
├── speedtest.js
├── backend/
├── results/
│   └── telemetry_settings.php   <- __DIR__ is here
└── examples/

Moving the database two directories up places it at:

/var/www/html/                    <- one level up from webroot
└── speedtest_telemetry.db        <- NOT web-accessible

Or even:

/var/www/                          <- two levels up from webroot  
└── speedtest_telemetry.db        <- NOT web-accessible

This matches the original intention of the ../../speedtest_telemetry.sql path before PR #736, which was designed to place the database outside the webroot for security.

What to Keep

Keep all the validation improvements from PR #736:

  • Directory existence checks
  • Directory writability checks
  • Improved error messages in results/telemetry_db.php
  • The .gitignore entries for *.db files

These are good improvements that help users diagnose permission issues.

Documentation Note

The documentation at line 86 of doc.md explicitly warns about this:

"If you chose to use SQLite, you might want to change $Sqlite_db_file to another path where you want the database to be stored. Just make sure that the file cannot be downloaded by users."

PR #736 violated this security requirement by placing the database in a web-accessible location.

Impact

This is a critical security vulnerability affecting all users who:

  1. Use SQLite for telemetry storage (now the default since PR Fix SQLite database path to resolve "unable to open database file" error #736 changed $db_type to 'sqlite')
  2. Have deployed the application since PR Fix SQLite database path to resolve "unable to open database file" error #736 was merged

The fix must be deployed urgently to prevent data exposure.

This pull request was created from Copilot chat.


✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@sstidl sstidl marked this pull request as ready for review December 17, 2025 20:23
@qodo-free-for-open-source-projects

Copy link
Copy Markdown
Contributor

PR Code Suggestions ✨

No code suggestions found for the PR.

…root

Co-authored-by: sstidl <12804296+sstidl@users.noreply.github.com>
@sstidl

sstidl commented Dec 17, 2025

Copy link
Copy Markdown
Collaborator

@copilot review docs and update

Copilot AI changed the title [WIP] Fix critical security vulnerability in SQLite database path Fix critical security vulnerability: Move SQLite database outside webroot Dec 17, 2025
Copilot AI requested a review from sstidl December 17, 2025 20:26
Copilot AI and others added 2 commits December 17, 2025 20:29
Co-authored-by: sstidl <12804296+sstidl@users.noreply.github.com>
…ion scenarios

Co-authored-by: sstidl <12804296+sstidl@users.noreply.github.com>

Copilot AI commented Dec 17, 2025

Copy link
Copy Markdown
Contributor Author

@copilot review docs and update

Documentation updated in commits ca3b1aa and f5f0e0e. Changes include:

  • Clarified how the default ../../ path keeps database outside web-accessible directory
  • Added security warnings and verification steps
  • Covered different installation scenarios (subdirectory vs. document root)
  • Added comments to Docker entrypoint explaining secure path override

Copilot AI and others added 2 commits December 17, 2025 20:32
Co-authored-by: sstidl <12804296+sstidl@users.noreply.github.com>
Co-authored-by: sstidl <12804296+sstidl@users.noreply.github.com>
Comment thread doc.md
…n step

Co-authored-by: sstidl <12804296+sstidl@users.noreply.github.com>
Copilot AI requested a review from sstidl December 17, 2025 20:43
@sstidl sstidl merged commit 750f043 into master Dec 17, 2025
@sstidl sstidl deleted the copilot/fix-sqlite-db-path-issue branch March 11, 2026 19:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants