Exposure of private files¶
ID: js/exposure-of-private-files
Kind: problem
Security severity: 6.5
Severity: warning
Precision: high
Tags:
- security
- external/cwe/cwe-200
- external/cwe/cwe-219
- external/cwe/cwe-548
Query suites:
- javascript-code-scanning.qls
- javascript-security-extended.qls
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Libraries like express
provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the node_modules
folder is served, then an attacker can access the _where
field from a package.json
file, which gives access to the absolute path of the file.
Recommendation¶
Limit which folders of static files are served from a web server.
Example¶
In the example below, all the files from the node_modules
are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside package.json
files.
var express = require('express');
var app = express();
app.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));
The issue has been fixed below by only serving specific folders within the node_modules
folder.
var express = require('express');
var app = express();
app.use("jquery", express.static('./node_modules/jquery/dist'));
app.use("bootstrap", express.static('./node_modules/bootstrap/dist'));
References¶
OWASP: Sensitive Data Exposure.
Common Weakness Enumeration: CWE-200.
Common Weakness Enumeration: CWE-219.
Common Weakness Enumeration: CWE-548.