I'm currently building a app which will be used in a production environment and I'm using Node & Express for that.
My concern is about the static file serving that I'm doing, because the server runs in the same directory (dist/) with the command node server.js.
Obviously someone just could do <url>/server.js and Express will happily return the whole content of the file, which is not good for security, of course.
I've now implemented a basic check which should deny the access to this file, like so:
[...]
function denyServerJSAccess(req, res, next) {
if (req.originalUrl.indexOf('server.js') > -1) {
console.log("Denied access")
return res.sendStatus(403);
} else {
return next();
}
}
app.use(denyServerJSAccess);
app.use(express.static(__dirname + ""));
[...]
But is this sufficient?
Can a targeted attacked maybe craft a character that bypasses indexOf, but let's Express serve the file? That won't be any good, if yes.
I've seen so many tricks in the past that people use to get around basic protections that I'm a little bit concerned, as this probably is a basic protection.
What should I do in order to protect such files?
Thanks in advance.
答案 0 :(得分:1)
这里有两件事,第一行
const incomingItem = {
uuid: "4075a90c-2b77",
status: "new",
data1: "yyy",
data2: "yyy",
}
const allStatus = [{
uuid: "1065d90b-1a90",
status: "running",
data1: "xxx",
data2: "xxx"
},{
uuid: "4075a90c-2b77",
status: "new",
data1: "xxx",
data2: "xxx"
}];
const index = allStatus.findIndex(item => item.uuid === incomingItem.uuid)
if (index === -1) {
// Item not in , we can add it
allStatus.push(incomingItem);
} else {
// Item is inside, we should update it
allStatus[index] = incomingItem;
}
console.log(allStatus);
将公开目录app.use(express.static(__dirname + ""));中的所有内容(这可能是您的根目录)。因此,您想将路径限制为
server.js
其次,仅将公共资源放在app.use(express.static(__dirname + '/path/to/public/resources'));下。