forbid access to server-bundle.json in production (#916)

This commit is contained in:
Pooya Parsa 2017-06-18 12:48:45 +04:30
parent 6146de34f8
commit fa9bc9445b

View File

@ -180,6 +180,11 @@ export default class Renderer extends Tapable {
if (!this.options.dev && req.url.indexOf(this.options.build.publicPath) === 0) {
const url = req.url
req.url = req.url.replace(this.options.build.publicPath, '/')
// Forbid access to sensitive data (#916)
if (req.url.includes('server-bundle.json')) {
res.statusCode = 404
return res.end()
}
await this.serveStaticNuxt(req, res)
/* istanbul ignore next */
req.url = url
@ -306,7 +311,7 @@ export default class Renderer extends Tapable {
if (!jsdom) {
try {
jsdom = require('jsdom')
} catch (e) /* istanbul ignore next */{
} catch (e) /* istanbul ignore next */ {
console.error('Fail when calling nuxt.renderAndGetWindow(url)') // eslint-disable-line no-console
console.error('jsdom module is not installed') // eslint-disable-line no-console
console.error('Please install jsdom with: npm install --save-dev jsdom') // eslint-disable-line no-console