DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
JavaScript

JavaScript

Made by DeepSource
Use Analyzer

Audit: Allowing dotfiles during static file serving can be sensitive JS-D020

Security
Major
 Autofix a05 cwe-798 sans top 25 owasp top 10

Serving sensitive files such as dotfiles are not recommended as they contains sensitive information.

Hidden files are created automatically by many tools to save user-preferences; well-known examples are .profile.bashrc.bash_history or .git. To simplify the view these files are not displayed by default using operating system commands like ls.

Outside of the user environment, hidden files are sensitive because they are used to store private information or even hard-coded secrets.

Recommended Secure Coding Practices : Disable the serving of hidden files.

Bad Practice

const serveStatic = require('serve-static')
let serveStaticMiddleware = serveStatic('public', {
  index: false,
  dotfiles: 'allow' // not safe
})

Recommended

const serveStatic = require('serve-static')
let serveStaticMiddleware = serveStatic('public', {
  index: false,
  dotfiles: 'ignore' // Compliant
})

References