File and directory information exposure Medium

Hidden files are sensitive because they are used to store privacy-related information or even hardcoded secrets. Allowing them while serving files from a given root directory can lead to information leakage.

Detector ID
typescript/file-and-directory-information-exposure@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1var express = require("express");
2var serveStatic = require("serve-static");
3var app = express();
4function fileAndDirectoryInformationExposureNoncompliant() {
5  // Noncompliant: dotfiles variable is set to 'allow'.
6  var serveStaticMiddleware = serveStatic("public", {
7    index: false,
8    dotfiles: "allow",
9  });
10  app.use(serveStaticMiddleware);
11}

Compliant example

1var express = require("express");
2var serveStatic = require("serve-static");
3var app = express();
4
5function fileAndDirectoryInformationExposureCompliant(safeDomain: any) {
6  // Compliant: dotfiles variable is set to 'ignore'.
7  var serveStaticMiddleware = serveStatic("public", {
8    index: false,
9    dotfiles: "ignore",
10  });
11  app.use(serveStaticMiddleware);
12}