Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible security issue #265

Open
ghost opened this issue Dec 14, 2022 · 0 comments
Open

Possible security issue #265

ghost opened this issue Dec 14, 2022 · 0 comments

Comments

@ghost
Copy link

ghost commented Dec 14, 2022

Hello,

I have noticed that this middleware doesn't cover files like Nuxt.js runtime/chunk files or static assets.
If this is being used in an admin panel for example, then some important data may be leaked.
In my opinion it should cover the whole application, not only the pages.

To reproduce:
Try viewing file like 127.0.0.1:3000/_nuxt/runtime.js or some static asset.

Here's how I fixed it myself:
Running this middleware using native Express instead of Nuxt middleware will make it run before anything else,
therefore protecting internal Nuxt files or static assets.

It can be done by chaning the way of creating middleware from:
this.addServerMiddleware(middleware)
to this:
this.nuxt.server.app.use(middleware)
(nuxt.server doesn't exist on build time, so it needs to be null checked)

Unfortunately I have no time to make a pull request.

If this is not an issue, then I believe it should be mentioned in the documentation that this middleware doesn't cover files like that.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants