Hidden files are created automatically by many tools to save user-preferences, well-known examples are .profile, .bashrc,
.bash_history or .git. To simplify the view these files are not displayed by default using operating system commands like
ls.
Outside of the user environment, hidden files are sensitive because they are used to store privacy-related information or even hard-coded
secrets.
Ask Yourself Whether
- Hidden files may have been inadvertently uploaded to the static server’s public directory and it accepts requests to hidden files.
- There is no business use cases linked to serve files in
.name format but the server is not configured to reject requests to this
type of files.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- Disable the serving of hidden files.
Sensitive Code Example
Express.js serve-static middleware:
let serveStatic = require("serve-static");
let app = express();
let serveStaticMiddleware = serveStatic('public', { 'index': false, 'dotfiles': 'allow'}); // Sensitive
app.use(serveStaticMiddleware);
Compliant Solution
Express.js serve-static middleware:
let serveStatic = require("serve-static");
let app = express();
let serveStaticMiddleware = serveStatic('public', { 'index': false, 'dotfiles': 'ignore'}); // Compliant: ignore or deny are recommended values
let serveStaticDefault = serveStatic('public', { 'index': false}); // Compliant: by default, "dotfiles" (file or directory that begins with a dot) are not served (with the exception that files within a directory that begins with a dot are not ignored), see serve-static module documentation
app.use(serveStaticMiddleware);
See
