Post mortem of recent security assessment.
It was possible, through a carefully encoded URL, to get st to serve any file it could see, not just the ones in the static content directory, and you could also list the contents of directories, so it was very easy to go looking for sensitive files.
This is really disappointing. It was disappointing to see directory traversal bugs ten years ago. If only there were some way to restrict an application’s view of the file system…
The big question is why anyone would allow static files to be served by an application server (as opposed to a webserver like Apache or Nginx) on a production site. The guidance shouldn’t be “upgrade your st module”, it should be “Why the hell are you using st in production? What is wrong with you?”
What is wrong with serving static files with an application server? It’s far easier to deploy, and should be enough until you need to move to a CDN.
Fair question. I added a file handler to my own web framework because it seemed to make debugging easier, but then I came to the realization that configuring something like nginx to serve even the test environment was small potatoes compared to everything else that needed doing, such as setting up memcached, etc.
Servers like nginx are 1. far, far more optimized to handle serving static content 2. trivial to setup.
There are numerous advantages from doing things the right way in production, and the penalty for development is so small, there’s no reason not to just do it right all the time. The file serving code in nginx (or any mainstream webserver) is better tested and better optimized than your app server’s file module will ever be.
Using it in development in fine, but using it in production is a bad idea, because you are relying on your application code to make sure you don’t accidentally serve up files you didn’t intend to serve. Configuring nginx to serve your static files and proxy to your application is not that difficult. Web servers like Nginx and Apache have had a lot of work done to make sure that they don’t serve file outside of the document root (I believe they chroot themselves).
Look, node.js is so enterprise production ready we even use it to serve static files. There’s a kind of pure stack ideology that infects people who are too vested in a framework.
“We know about XSS, except when we don’t bother.” is not reassuring at all. I went to the trouble of escaping tags in my blog, even though it had zero readers, I’m the only person who can write tags, and the submission handler rejects any tag that isn’t alphanumeric. Escaping user input is never an optional part of a web app, no matter how hobbyist it is.