I have the following. Let's say for instance the folder had some config files, would the below be enough to stop people finding admin.config
for example or is there a way to bypass the includes
or readFileSync
functions?
app.use((req, res, next) => {
if([req.body, req.headers, req.query].some(
(item) => item && JSON.stringify(item).includes("config")
)) {
return res.send("Restricted");
}
next();
});
So currently with that code above, no one can ready admin.config is what I am getting at and if they can how would they? What about server.config or xxx.config. The reason I am asking is that we have this code on our server which we are unable to change. I want the vendor to amend it but they say since we can't access config files directly we are fine but I am sure somehow we are able to but can't prove it
CodePudding user response:
If you would like to secure your .env file, I do recommend using secure-env package, it is used to encrypt your .env file and then can access it in your code. there is a lot of options for encryption. refer to: https://www.npmjs.com/package/secure-env
CodePudding user response:
It can be bypassed, thats why it's on the CTF :) Try harder