labs / tiddlers / content / labs / lab13 / _Labs_13_Allow List for Static

Jooby makes it very easy for us to create an allow list (formerly known as a white list) for the URLs that it is allowed to serve. Jooby will return a 404 error for any URL that isn't explicitly allowed.

The API paths are already allowed simply because we have listed all of the URLs that we need in our modules and Jooby will reject all others.

The StaticAssetModule is the primary problem since it will serve anything that is in the <> folder. If a malicious user can somehow get a file into this folder then our web server will happily serve it.

An allow list includes only the files that are allowed to be served. Anything that is not in the list will be rejected.

Expand the assets module to explicitly list all of the files that your AJAX client is using.

The result should look something like:

// home page
assets("/", Paths.get("static/index.html"));

// html files
assets("/index.html", Paths.get("static/index.html"));
assets("/signin.html", Paths.get("static/signin.html"));
// ... and the rest of the HTML files

// css files
assets("/css/style.css", Paths.get("static/css/style.css"));
// ... and the rest of the CSS files

// JavaScript files
assets("/js/data-store.js", Paths.get("static/js/data-store.js"));
assets("/js/authentication.js", Paths.get("static/js/authentication.js"));
assets("/js/navigation.js", Paths.get("static/js/navigation.js"));
assets("/js/customer.js", Paths.get("static/js/customer.js"));
// ... and the rest of the JavaScript files

// external JavaScript files
assets("/js/external/", Paths.get("static/js/external/"));
assets("/js/external/", Paths.get("static/js/external/"));
assets("/js/external/vuex-persistedstate.js", Paths.get("static/js/external/vuex-persistedstate.js"));
assets("/js/external/axios.js", Paths.get("static/js/external/axios.js"));

// ... and any images that you have added

You need to list every single file that your client is using. While this is a little bit tedious it does add a lot of protection to the web site.

Comment out the existing assets line since it is dangerous.

You have most likely received a phishing email that contains a link to a random web site in another country that appears to be hosted by a small business. This is because the maintainers of the site for that business did not use an allow list for their files, and an attacker has found a way to upload their own pages to the site which they are now using for phishing scams.

The attacker could just as easily (and may already have) uploaded a page that downloads sensitive data from the site.

Restart and test the application to make sure you didn't break anything.