Closed Alexufo closed 2 months ago
You should place the config.json file outside the document root folder.
This is definitely a weird request. As an alternative, if you are on OpenBSD or Linux. Just use unveil
or landlock
to whitelist directories the application is able to. See my repo abd blog post for details, You likely want to do something like the followning. Though I still think it is not ideal
unveil(app().getDocumentRoot().c_str(), "r");
unveil((app().getDocumentRoot() + "/config.json").c_str(), "");
unveil(app().getUploadPath().c_str(), "rwc");
// TODO: add more paths like /dev /etc as you likely need them
unveil(NULL, NULL);
Unveil API on Liinux https://github.com/marty1885/landlock-unveil
OpenBSD unveil https://man.openbsd.org/unveil.2
@marty1885
Thanks for the solution, it's interesting, but I need something platform independent.
The Drogon json config contains comments. This is not the correct json format. The json with comments has the file extension “jsonc”. Also the json config could potentially forget to add to the blacklist.
In my case, I add extension to the sources
std::vector<std::string> JsonConfigAdapter::getExtensions() const
{
return {“json”, “jsonc”}
}
You should place the config.json file outside the document root folder.
this is correct, in my case it is rest api, where with the executable file there is only docs folder with html. I didn't want the extra nesting for only one folder for the local distribution.
loadConfigFile cannot load a jsonc file, I want to rename the file name for security reasons (root is a root of the drogon and config.json file can be loaded as a static file from public)