Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible to access files outside of webpack output path #889

Closed
edmorley opened this issue Apr 24, 2017 · 3 comments
Closed

Possible to access files outside of webpack output path #889

edmorley opened this issue Apr 24, 2017 · 3 comments

Comments

@edmorley
Copy link

edmorley commented Apr 24, 2017

Broken out of #887.

It's possible to access files that would not end up in the webpack output path (eg dist/) for the full webpack build.

STR:

  1. Install nodejs 7.x, webpack 2.4.1 and webpack-dev-server 2.4.4
  2. Create a new project based on https://webpack.js.org/guides/get-started/#using-webpack-with-a-config (and save dependencies to package.json, init a git repo etc)
  3. Run ./node_modules/.bin/webpack-dev-server
  4. In another terminal, try requests like (or for any other file that wouldn't be copied to dist/):
  • curl -i localhost:8080/package.json
  • curl -i localhost:8080/.git/config

Expected:
HTTP 404s or similar.

Actual:
HTTP 200s for cases where the file exists, along with the file contents.

@sokra
Copy link
Member

sokra commented Apr 24, 2017

I guess this is not a bug, because this is intended behavior. The contentBase option defaults to the current directory and the webpack-dev-server acts as static web server. This is important to serve the HTML files and other files from this directory.

@sokra
Copy link
Member

sokra commented Apr 24, 2017

Added this sentence to the blog post:

Consider all passwords/keys in your “content base” (which defaults to the current directory) as leaked.

@edmorley
Copy link
Author

Ah ok, my main use of webpack is via https://github.com/mozilla-neutrino/neutrino-dev , which doesn't leave any assets outside of the main output directory (and so makes contentbase default to it), but if that's not a typical usage pattern then I guess this is unavoidable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants