This is likely the Intellij Kotlin project wizard, more than KTOR plugin, but I can't tell from outside which plugin adds the Kotlin "Full Stack Web" project creator. Anyways, it generates this code for serving the static content:
The resources() seems dangerous, without a limit on the file extensions served, and without a package prefix, you could basically download class files and anything else in the class path, which could include configuration and other unintended files.
This is a bad practice to teach, and people won't question what this wizard creates.
This is likely the Intellij Kotlin project wizard, more than KTOR plugin, but I can't tell from outside which plugin adds the Kotlin "Full Stack Web" project creator. Anyways, it generates this code for serving the static content:
The
resources()seems dangerous, without a limit on the file extensions served, and without a package prefix, you could basically download class files and anything else in the class path, which could include configuration and other unintended files.This is a bad practice to teach, and people won't question what this wizard creates.