search

lvarayut / relay-fullstack

:point_up::running: Modern Relay Starter Kit - Integrated with Relay, GraphQL, Express, ES6/ES7, JSX, Webpack, Babel, Material Design Lite, and PostCSS
https://lvarayut.github.io/relay-fullstack/
MIT License
985 stars 126 forks source link

Security issue with deploy script #94

Closed jkettmann closed 7 years ago

jkettmann commented 7 years ago

All server side files are exposed when running the deploy script. You can see the file structure afterwards in the following image. The compiled app files are located next to the compiled server files.

screenshot 2017-06-30 15 34 31

This directory is made public via express.static. So if you use the deploy script to publish your app in production everyone can look up all server side code. As an example you can run npm run deploy and go to localhost:3000/index.js (see below image). This is the compiled server entry.

screenshot 2017-06-30 15 37 37

This is not possible on the deployed heroku version, because there the server side code is compiled to directory lib, so it is not located inside the static directory.

ncrmro commented 7 years ago

@jkettmann Thanks for discovering this potential issue, we love pull requests! Also maybe you could post some potential solutions here we could discuss.