在 Express 中拒绝访问 server.js

Question

I'm currently building a app which will be used in a production environment and I'm using Node & Express for that.

My concern is about the static file serving that I'm doing, because the server runs in the same directory ( dist/ ) with the command node server.js .

Obviously someone just could do <url>/server.js and Express will happily return the whole content of the file, which is not good for security, of course.

I've now implemented a basic check which should deny the access to this file, like so:

[...]

function denyServerJSAccess(req, res, next) {      
  if (req.originalUrl.indexOf('server.js') > -1) {
    console.log("Denied access")
    return res.sendStatus(403);
  } else {
    return next();
  }      
}
app.use(denyServerJSAccess);
app.use(express.static(__dirname + ""));

[...]

But is this sufficient?

Can a targeted attacked maybe craft a character that bypasses indexOf , but let's Express serve the file? That won't be any good, if yes.

I've seen so many tricks in the past that people use to get around basic protections that I'm a little bit concerned, as this probably is a basic protection.

What should I do in order to protect such files?

Thanks in advance.

Answer 1

There are two things here, first the line

app.use(express.static(__dirname + ""));

would expose everything that's in the directory server.js is in (this is probably your root directory). So you would like to limit the path to

app.use(express.static(__dirname + '/path/to/public/resources'));

And secondly, put public resources only under path/to/public/resources .