Issue Plesk NodeJS file direct access - vulnerability

[michal2013]

How can I prevent direct access to `app.js`

When anyone accesses 'example.com/app.js' I m able to see all the code inside the app.js that is not safe and secure

Plesk has to understand the situation and find/provide the proper solution for this.

My project structure is given below
HOST: 'www.example.com'
`
D:\PROJECT - LIVE\IMS\
├── app.js # Main application entry point
├── ecosystem.config.js # PM2 configuration
├── package.json
├── package-lock.json
│
├── certificate/ # SSL certificates
├── keys/ # Security keys
│
├── config/
│ └── myDB.js
│
├── cronjobs/
│ └── cronjob.js
│
├── middleware/
│ ├── mPermission.js
│
├── routes/
│ ├── index.js
│ ├── router.js
│ ├── ADMIN/
│ │ ├── mail.js
│ │ └── CREDENTIAL/
│ │ └── credential.js
│ ├── CHAT/
│ │ └── chatRoutes.js
│ ├── login/
│ │ └── loginPage.js
│ ├── PROFILE/userProfile/
│
├── public/
│ ├── images/
│ │ └── favicon.png
│ └── stylesheets/
│ └── style.css
│
├── views/
│ ├── error.html
│ ├── error.jade
│
├── uploads/
│ ├── file/
├── tmp/
└── node_modules/
`

 

[Maarten]

Hi,

PM2 on Plesk? I don't think that's going to work.

But regarding your issue, can you post a screenshot of the Node.js settings? Did you assign app.js to "Application Startup File"?

 

[michal2013]

We can ignore ├── ecosystem.config.js # PM2 configuration
"Application Startup File" is `app.js`

this nodejs runs on Plesk Panel

issue I can able to direct access the js code inside the app.js when I try to access like `[HOST]/app.js`

 

[Maarten]

Normally, a Node.js app uses a public folder which you use as the document root. That prevents your code from being exposed in the browser.

Currently, it looks like your Document Root is set to the same location as your Application Root (D:\PROJECT - LIVE\IMS\), which is why app.js and other files are directly accessible via HTTP.

Your public folder only contains static assets (CSS/images). How does your application serve HTML to users? Do you use a template engine (I see .jade files), or is this an API-only application? This will help determine the correct Document Root configuration.

In most cases, setting Document Root to D:\PROJECT - LIVE\IMS\public should solve this issue.

 

[scsa20]

If you can't change the document root to \public for whatever reason you should be able to just restrict the access. Since it seems like you're on Windows you're using IIS. You should be able to pull this off by editing the web.config file to add whatever path you don't want people access

<configuration>
 <system.webServer>
  <security>
   <requestFiltering>
    <hiddenSegments>
     <add segment="Folder"/>
    </hiddenSegments>
   </requestFiltering>
  </security>
 </system.webServer>
</configuration>

Or to block specific extensions only:

<configuration>
    <system.webServer>
        <security>
            <requestFiltering>
                <fileExtensions>
                    <add fileExtension=".js" allowed="false" />
                </fileExtensions>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

If you prefer a GUI approached you can follow the instructions outlined at IIS - ignore/deny access to specific pages (I don't have a windows server so I'm not sure if this can be done natively within Plesk for Windows so you'll need to RDP to the server to set that up).

But honestly you should just do what @Maarten said and just update the document root to \public.