in general, you can execute any query through the query builder - so if your anonymous user has read access to the full JCR tree then a malicious user can access anything in the repository. It may be better to actually use the query builder API in a similar way the search uses the querybuilder instead of opening it up to the world or write a set of restrictive mode_rewrite rules to avoid too much access to the query builder.
can you clerify a bit what you meant by "write a set of restrictive mode_rewrite rules to avoid too much access to the query builder" ?
mod_rewrite allows you to use regular expressions to allow/disallow requests. This can be used to only allow certain parameters to be passed to querybuilder. However, I think it's not a good way to do this. Using the querybuilder from jsp or java is a better and more secure approach in my opinion. Maybe somebody from adobe wants to comment on this as well.
Agreed, for use on a publish site it might be better to have specific jsps that cover only the desired search and use the query builder API.
But it's still important to note that anything readable for anonymous is public anyway - the ACLs of your content should be right. The querybuilder uses the JCR search which fully respects ACLs in the result. An open query API such as the Sling .query.json or the querybuilder.json servlets just make the explorability of that public content easier.
I guess the security checklist suggests using dispatcher to lock down
cq, not the ACL's - if one looks at the default ACL's for everyone that
CQ sets up in an install it's a bit too scare I would say to go with ACL
lockdown since /libs and /apps have full read access for everyone on a
pub instance and /content/uploadFilesTempDir has read/write access.
1 person found this helpful
One other thing to keep in mind is the performance impact. If you let anyone run arbitrary queries against the repository, you may be opening yourself up for performance problems. Even if no content is leaked because you have proper ACLs, your server may still suffer a performance issue.