Closed fmarier closed 3 years ago
The following config will block it:
location ~ ^/package-lock\.json$ {
deny all;
return 403;
}
but perhaps all package-lock.json
files regardless of path should be blocked.
I'm not sure how usefully this is as simply looking at https://github.com/matomo-org/matomo/blob/4.2.1/package-lock.json will tell the attacker the same thing with no additional effort.
Also I try to keep this repo kind of similar to what the .htaccess files in Matomo do, to avoid loosing an overview over what is and isn't blocked.
For an installation that's up-to-date, I agree, there's not much point in hiding this given it's also on GitHub.
In the case where an admin hasn't yet updated their Matomo, then the presence of that file makes automatic exploitation easier.
You are right, but the cleaner way is to simply remove the file from the Matomo build which should be done with https://github.com/matomo-org/matomo-package/pull/126
It would be good to prevent
package-lock.json
from being served since they expose the exact versions of packages running on a server.For example: https://demo.matomo.cloud/package-lock.json