Hidden files are sensitive because they are used to store privacy-related information or even hardcoded secrets. Allowing them while serving files from a given root directory can lead to information leakage.
1var express = require("express");
2var serveStatic = require("serve-static");
3var app = express();
4function fileAndDirectoryInformationExposureNoncompliant() {
5 // Noncompliant: dotfiles variable is set to 'allow'.
6 var serveStaticMiddleware = serveStatic("public", {
7 index: false,
8 dotfiles: "allow",
9 });
10 app.use(serveStaticMiddleware);
11}
1var express = require("express");
2var serveStatic = require("serve-static");
3var app = express();
4
5function fileAndDirectoryInformationExposureCompliant(safeDomain: any) {
6 // Compliant: dotfiles variable is set to 'ignore'.
7 var serveStaticMiddleware = serveStatic("public", {
8 index: false,
9 dotfiles: "ignore",
10 });
11 app.use(serveStaticMiddleware);
12}