Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Potential Security Concern / Feature Request

    Surfer
    3
    7
    233
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • murgero
      murgero App Dev last edited by

      I know surfer is supposed to be a simple app, but would it be possible for the app to be configured in such a way that it would not serve out files or full directories that start with "."

      Examples would be:

      • .git
      • .htaccess (I know these aren't used here, but for examples sake)

      I wanted to sync my surfer app with a git repo for ease of updating and it serves the .git folder. Not a huge risk but the config file in there can hold some sensitive information in some cases.

      --
      https://urgero.org
      ~ Professional Nerd. Freelance Programmer. ~

      1 Reply Last reply Reply Quote 2
      • nebulon
        nebulon Staff last edited by

        It sounds a bit like you have some work-flow or specific use-case in mind when you talk about syncing a git repo. Can you maybe describe what your plan is and then maybe there is a better solution than hiding files based on some rules. We can add this to surfer, but I guess this needs to be configurable then for other regular file serving usage.

        murgero 1 Reply Last reply Reply Quote 1
        • murgero
          murgero App Dev @nebulon last edited by

          @nebulon Yeah it is pretty specific I suppose. Maybe allowing the admin to select folders/files to be hidden from public view is the best option then instead. My use case is that I am using a non-public git repo to publish to my site but also keep track of changes. I am sure I'm not the only one using surfer in this way, but I also know that it's a niche request. I'd be more than happy to clone surfer add the feature and submit a PR if that better suits Cloudron staff.

          --
          https://urgero.org
          ~ Professional Nerd. Freelance Programmer. ~

          jdaviescoates nebulon 2 Replies Last reply Reply Quote 0
          • jdaviescoates
            jdaviescoates @murgero last edited by

            @murgero There could also just be an option to show/ hide hidden files (ie those that start with . ) like on desktop file browsers?

            I use Cloudron with Gandi & Hetzner

            1 Reply Last reply Reply Quote 0
            • nebulon
              nebulon Staff @murgero last edited by

              @murgero to take a step back, why are you pushing the .git folder in the first place, if you don't want to have things public? I feel like you could just not do that instead, no? Maybe I don't fully get the flow you are using there.

              murgero 1 Reply Last reply Reply Quote 0
              • murgero
                murgero App Dev @nebulon last edited by murgero

                @nebulon I am logging into my cloudron instance -> app -> terminal -> cd public -> git fetch && git pull directly in the app - that's how the folder gets there.

                @jdaviescoates - Hidden folders in surfer still get served up.

                To be clear I am NOT copying a git repo over webdav or ftp here, I am using git clone / git pull directly on the app...

                --
                https://urgero.org
                ~ Professional Nerd. Freelance Programmer. ~

                jdaviescoates 1 Reply Last reply Reply Quote 0
                • jdaviescoates
                  jdaviescoates @murgero last edited by

                  @murgero said in Potential Security Concern / Feature Request:

                  @jdaviescoates - Hidden folders in surfer still get served up.

                  I know. I was suggesting that perhaps Surfer could have an option for them not to be.

                  I use Cloudron with Gandi & Hetzner

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Powered by NodeBB