Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable symlinks #120

Open
gregmartyn opened this issue Feb 28, 2019 · 2 comments · May be fixed by #127
Open

Disable symlinks #120

gregmartyn opened this issue Feb 28, 2019 · 2 comments · May be fixed by #127
Labels
enhancement

Comments

@gregmartyn
Copy link

If I'm doing .use(express.static('/var/www/html')) and some attacker manages to ln -s /etc/passwd /var/www/html, then http://host/passwd will serve up /etc/passwd. Is there any way to tell serve-static not to follow symlinks, or to restrict them so that they're only followed to files within the directory being served?

I'm essentially asking for Apache's FollowSymLinks or nginx's disable_symlinks.
@dougwilson
Copy link
Contributor

No, this is not a feature currently, but a pull request to add such a feature would definitely be welcome!

@jayk jayk linked a pull request Oct 10, 2019 that will close this issue
Open
@jayk
Copy link
Contributor

jayk commented Oct 12, 2019

I submitted a pull request that provides this behavior via a new option called followsymlinks which defaults to true. If it's set to false, it will cause paths that contain symlinks to be forbidden.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add 'followsymlinks' option which allows rejecting symlinks jayk/serve-static
3 participants
@dougwilson @jayk @gregmartyn