Exposure of private files¶
express provide easy methods for serving entire directories of static files from a web server. However, using these can sometimes lead to accidental information exposure. If for example the
node_modules folder is served, then an attacker can access the
_where field from a
package.json file, which gives access to the absolute path of the file.
Limit which folders of static files are served from a web server.
In the example below, all the files from the
node_modules are served. This allows clients to easily access all the files inside that folder, which includes potentially private information inside
var express = require('express'); var app = express(); app.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));
The issue has been fixed below by only serving specific folders within the
var express = require('express'); var app = express(); app.use("jquery", express.static('./node_modules/jquery/dist')); app.use("bootstrap", express.static('./node_modules/bootstrap/dist'));