[英]Is a file outside the public folder in express safe?
I'm building a website using Express.我正在使用 Express 构建网站。
I have a page with a form to add articles.我有一个带有添加文章表单的页面。 There is no sensitive data on my website but I don't want people te be able to post articles.我的网站上没有敏感数据,但我不希望人们能够发布文章。
So my question is: can people have access to any file that is not inside the public folder ?所以我的问题是:人们可以访问不在公共文件夹中的任何文件吗?
// Public directory
web.use(express.static(path.join(__dirname, 'public')));
The page would be accessed with a token (the token would be encrypted and stored in a json file (outside the public folder)将使用令牌访问该页面(该令牌将被加密并存储在一个 json 文件中(在公共文件夹之外)
like this :像这样 :
// json file import
var data = require('../data/fileThatIsSafe.json');
// page render
web.get('/myPage/:token?', function(res, req) {
if(encrypt(req.params.token) == data.token) {
res.render('myPage');
}
}
I can't tell exactly what the token has to do with your question, but if you're just asking if your express.static()
code is safe:我无法确切地说出令牌与您的问题有什么关系,但如果您只是询问您的express.static()
代码是否安全:
web.use(express.static(path.join(__dirname, 'public')));
Then, the answer is that express.static()
(by default) does not allow access to any files outside of the directory you pass it.然后,答案是express.static()
(默认情况下)不允许访问您传递的目录之外的任何文件。 in your example, it only provides access to the public
directory hierarchy.在您的示例中,它仅提供对public
目录层次结构的访问。 If you look at the doc for express.static()
, you will see an option for dotfiles
that has these settings:如果您查看express.static()
的文档,您将看到具有以下设置的dotfiles
选项:
Possible values for this option are:
"allow" - No special treatment for dotfiles.
"deny" - Deny a request for a dotfile, respond with 403, then call next().
"ignore" - Act as if the dotfile does not exist, respond with 404, then call next().
The default value for this option is "ignore"
and will return a 404.此选项的默认值是"ignore"
并将返回 404。
So my question is: can people have access to any file that is not inside the public folder ?所以我的问题是:人们可以访问不在公共文件夹中的任何文件吗?
Not via your express.static()
middleware.不是通过您的express.static()
中间件。 So, the only way people could get access to other files on your server is if you have some other route that explicitly allows them to request those files.因此,人们可以访问您服务器上的其他文件的唯一方法是您是否有其他一些明确允许他们请求这些文件的路由。
In the one other route you show, that does appear to require an appropriate token be sent with the route before you will send the content.在您显示的另一条路线中,在您发送内容之前,似乎确实需要随路线一起发送适当的令牌。 That specific route handler needs to send some sort of response (perhaps an error response) when the token does not match.当令牌不匹配时,该特定路由处理程序需要发送某种响应(可能是错误响应)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.