Hacker News new | past | comments | ask | show | jobs | submit login

...why? I get that file-system based routing means you know the location of a source file on disk, but if anyone can access that file you've already lost.

And auto-dependency resolution also doesn't seem any larger a security concern, all it's doing is skipping an "npm install" command.

Because if you ever have a broken upload system that allows you to drop a JS file somewhere accessible by the file system routing, you have remote code execution. Additionally, you now have to write guards in every non-endpoint JS file so that it doesn't get executed just by a misplaced HTTP request.

And as for automatic dependency resolution, this means you're not even aware of what transitive dependencies you're pulling in, what version they are and have no way to vet anything - everything is hidden behind a wall of magic.

Make your application directory read-only to the user running the application, as it ought to be anyway.

Automatic dependency resolution however... Fantastic for experimentation, but that's a dealbreaker for production. Maybe it would be OK if it actually wrote the package-lock.json to the application directory, I'd have to think about that.

In this case the application also tries to auto-install dependencies, so making it read-only removes one of the stated features.

I think this framework hasn't been written with security in mind at all.

Whatever it's doing, it's not writing the packages into the application directory.

If it can write to the applications dependencies isn't that as good as writing to the application?

Probably having .htaccess / .env / database configuration / files that are not supposed to be public be exposed.

For instance, Rails has a public/ folder for files that are going to be served. And jekyll hides files by pattern-matching them[1].

Zero doesn't seem to have exclude folders by default. The solution would be to run Zero is a subfoler and require file in the parent folder which would act as the tree's root.

[1]: https://help.github.com/en/articles/files-that-start-with-an...

Currently, files starting with _ (underscore) are hidden in zero. This is still a feature spec we need to finalize as this can create confusion. Maybe a .zeroignore file (as suggested in another comment) would be a better idea.

Why not reverse that and use a whitelist instead. It’s a lot easier to decide what folders and files should be served than to think of all the things that shouldn’t.

Nextjs uses a pages/ subdirectory which gives you implicit routing, without having to compromise on the whitelist aspect. I think it's a better compromise.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact