堆栈内存溢出
  简体   繁体   English

公用文件夹之外的文件是否安全?

[英]Is a file outside the public folder in express safe?

 原文  2020-03-25 19:34:07       javascript/ express/ security

问题描述

I'm building a website using Express.我正在使用 Express 构建网站。

I have a page with a form to add articles.我有一个带有添加文章表单的页面。 There is no sensitive data on my website but I don't want people te be able to post articles.我的网站上没有敏感数据,但我不希望人们能够发布文章。

So my question is: can people have access to any file that is not inside the public folder ?所以我的问题是:人们可以访问不在公共文件夹中的任何文件吗?

// Public directory
web.use(express.static(path.join(__dirname, 'public')));

The page would be accessed with a token (the token would be encrypted and stored in a json file (outside the public folder)将使用令牌访问该页面(该令牌将被加密并存储在一个 json 文件中(在公共文件夹之外)

like this :像这样 :

// json file import
var data = require('../data/fileThatIsSafe.json');

// page render
web.get('/myPage/:token?', function(res, req) {
    if(encrypt(req.params.token) == data.token) {
        res.render('myPage');
    }
}

1 个解决方案

解决方案1
 1 已采纳  2020-03-25 20:54:40

I can't tell exactly what the token has to do with your question, but if you're just asking if your express.static() code is safe:我无法确切地说出令牌与您的问题有什么关系,但如果您只是询问您的express.static()代码是否安全:

web.use(express.static(path.join(__dirname, 'public')));

Then, the answer is that express.static() (by default) does not allow access to any files outside of the directory you pass it.然后,答案是express.static() (默认情况下)不允许访问您传递的目录之外的任何文件。 in your example, it only provides access to the public directory hierarchy.在您的示例中,它仅提供对public目录层次结构的访问。 If you look at the doc for express.static() , you will see an option for dotfiles that has these settings:如果您查看express.static()文档,您将看到具有以下设置的dotfiles选项:

Possible values for this option are:

"allow"  - No special treatment for dotfiles.
"deny"   - Deny a request for a dotfile, respond with 403, then call next().
"ignore" - Act as if the dotfile does not exist, respond with 404, then call next().

The default value for this option is "ignore" and will return a 404.此选项的默认值是"ignore"并将返回 404。

So my question is: can people have access to any file that is not inside the public folder ?所以我的问题是:人们可以访问不在公共文件夹中的任何文件吗?

Not via your express.static() middleware.不是通过您的express.static()中间件。 So, the only way people could get access to other files on your server is if you have some other route that explicitly allows them to request those files.因此,人们可以访问您服务器上的其他文件的唯一方法是您是否有其他一些明确允许他们请求这些文件的路由。

In the one other route you show, that does appear to require an appropriate token be sent with the route before you will send the content.在您显示的另一条路线中,在您发送内容之前,似乎确实需要随路线一起发送适当的令牌。 That specific route handler needs to send some sort of response (perhaps an error response) when the token does not match.当令牌不匹配时,该特定路由处理程序需要发送某种响应(可能是错误响应)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在Express.js应用程序的公用文件夹中创建一个文件 - Create a file in public folder of an Express.js App 如何使用快递在“公共”中提供文件夹 - How to serve folder in 'public' with express express.js 公用文件夹未被识别 - express.js public folder not being recognised "在 Next JS 中使用 `next-mdx-remote` 时,如何在`public\/` 文件夹之外的`.mdx` 文件中使用图像?" - How to use images in a `.mdx` file outside of `public/` folder while using `next-mdx-remote` in Next JS? 获取express.js以显示公用文件夹 - Getting express.js to show a public folder 在Express JS中,如何在Middlware之后呈现静态文件不在公共或查看文件夹中 - How to render static file not in public or view folder after middlware in express js 将上载的文件存储在Express中系统中除项目公用文件夹之外的任何路径中 - Store uploaded file in Express in any path in the system except project public folder 在快速应用程序中,公用文件夹中的javascript文件如何访问index.js下路由文件夹中编写的数据库API - In an express application ,how can the javascript file in public folder access the database API written in routes folder under index.js 在文件夹外获取文件路径 - Getting file paths outside the folder Serving.js 和 .css 文件位于 PHP 中的公用文件夹之外 - Serving .js and .css files that are outside of public folder in PHP
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM