Newer
Older
labs / tiddlers / content / labs / lab11 / _Labs_11_Allow List for Static Assets.md
@Mark George Mark George on 27 Sep 2 KB Fixes

Jooby makes it very easy for us to create an allow list (formerly known as a white list) for the URLs that it is allowed to serve. Jooby will return a 404 error for any URL that isn't explicitly allowed.

The API paths are already allowed simply because we have listed all of the URLs that we need in our modules and Jooby will reject all others.

The StaticAssetModule is the primary problem since it will serve anything that is in the <> folder. If a malicious user can somehow get a file into this folder then our web server will happily serve it.

An allow list includes only the files that are allowed to be served. Anything that is not in the list will be rejected with a 404 response.

Expand the assets module to explicitly list all of the files that your AJAX client is using.

The result should look something like:

// home page
assets("/", Paths.get("static/index.html"));

// html files
assets("/index.html", Paths.get("static/index.html"));
assets("/signin.html", Paths.get("static/signin.html"));
// ... and the rest of the HTML files

// css files
assets("/css/style.css", Paths.get("static/css/style.css"));
// ... and the rest of the CSS files

// JavaScript files
assets("/js/data-store.js", Paths.get("static/js/session-store.js"));
assets("/js/navigation.js", Paths.get("static/js/navigation.js"));
assets("/js/customer.js", Paths.get("static/js/signin.js"));
// ... and the rest of the JavaScript files

// external JavaScript files
assets("/js/external/vue.global.js", Paths.get("static/js/external/vue.global.js"));
assets("/js/external/vuex.global.js", Paths.get("static/js/external/vuex.global.js"));
assets("/js/external/vuex-persistedstate.js", Paths.get("static/js/external/vuex-persistedstate.js"));
assets("/js/external/axios.js", Paths.get("static/js/external/axios.js"));

// ... and any images that you have added, if any

Adapt to suit your file names. You need to list every single file that your client is using. While this is a little bit tedious it does add a lot of protection to the web site.

You will also need to remember to add any new files that you create to the StaticAssetModule.

Comment out the existing assets line since it is dangerous.

You have most likely received a phishing email that contains a link to a random web site in another country that appears to be hosted by a small business. This is because the maintainers of the site for that business did not use an allow list for their files and an attacker has found a way to upload their own pages to the site which they are now using for phishing scams.

The attacker could just as easily (and may already have) uploaded a page that downloads sensitive data from the site.

Restart and test the application to make sure you didn't break anything.