Skip to content
This repository has been archived by the owner on Apr 18, 2023. It is now read-only.

Security: Static client resources are loaded from the root package, giving access to the entire backend jar #15

Open
rocketraman opened this issue Mar 7, 2023 · 0 comments
Open

Security: Static client resources are loaded from the root package, giving access to the entire backend jar #15

rocketraman opened this issue Mar 7, 2023 · 0 comments

Comments

@rocketraman
Copy link

The static client resources are loaded from the root package, which gives clients access to the entire backend jar.

For example, run the server and then try to access:

http://localhost:8080/application.conf

or

http://localhost:8080/MainKt.class

Both of these work!

The copy task at https://github.com/Kotlin/full-stack-web-jetbrains-night-sample/blob/master/server/build.gradle.kts#L55-L57 should be modified to put the resources into a subdirectory e.g. web, and then ktor configured to serve static resources from the web package only.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rocketraman