If I'm doing .use(express.static('/var/www/html')) and some attacker manages to ln -s /etc/passwd /var/www/html, then http://host/passwd will serve up /etc/passwd. Is there any way to tell serve-static not to follow symlinks, or to restrict them so that they're only followed to files within the directory being served?
I'm essentially asking for Apache's FollowSymLinks or nginx's disable_symlinks.
If I'm doing
.use(express.static('/var/www/html'))and some attacker manages toln -s /etc/passwd /var/www/html, then http://host/passwd will serve up /etc/passwd. Is there any way to tell serve-static not to follow symlinks, or to restrict them so that they're only followed to files within the directory being served?I'm essentially asking for Apache's FollowSymLinks or nginx's disable_symlinks.