Home > Blockchain >  Node.js - can includes or readFileSync be bypassed?
Node.js - can includes or readFileSync be bypassed?

Time:08-07

I have the following. Let's say for instance the folder had some config files, would the below be enough to stop people finding admin.config for example or is there a way to bypass the includes or readFileSync functions?

 app.use((req, res, next) => {
    if([req.body, req.headers, req.query].some(
        (item) => item && JSON.stringify(item).includes("config")
    )) {
        return res.send("Restricted");
    }
    next();
});

So currently with that code above, no one can ready admin.config is what I am getting at and if they can how would they? What about server.config or xxx.config. The reason I am asking is that we have this code on our server which we are unable to change. I want the vendor to amend it but they say since we can't access config files directly we are fine but I am sure somehow we are able to but can't prove it

CodePudding user response:

If you would like to secure your .env file, I do recommend using secure-env package, it is used to encrypt your .env file and then can access it in your code. there is a lot of options for encryption. refer to: https://www.npmjs.com/package/secure-env

CodePudding user response:

It can be bypassed, thats why it's on the CTF :) Try harder

Page link:https//www.codepudding.com/Blockchain/502131.html

Prev:Trouble using "Integer" type in Prisma ORM schema for MongoDB
Next:Can't access nodejs port on browser virtual server
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding