Closed fmarier closed 3 years ago
fmarier
commented
3 years ago The following config will block it:
location ~ ^/package-lock\.json$ {
deny all;
return 403;
}but perhaps all package-lock.json files regardless of path should be blocked.
Findus23
commented
3 years ago I'm not sure how usefully this is as simply looking at https://github.com/matomo-org/matomo/blob/4.2.1/package-lock.json will tell the attacker the same thing with no additional effort.
Also I try to keep this repo kind of similar to what the .htaccess files in Matomo do, to avoid loosing an overview over what is and isn't blocked.
fmarier
commented
3 years ago For an installation that's up-to-date, I agree, there's not much point in hiding this given it's also on GitHub.
In the case where an admin hasn't yet updated their Matomo, then the presence of that file makes automatic exploitation easier.
Findus23
commented
3 years ago You are right, but the cleaner way is to simply remove the file from the Matomo build which should be done with https://github.com/matomo-org/matomo-package/pull/126
It would be good to prevent
package-lock.jsonfrom being served since they expose the exact versions of packages running on a server.For example: https://demo.matomo.cloud/package-lock.json