Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gatsby leaks absolute paths of the build machine #3324

Closed
tomazy opened this issue Dec 23, 2017 · 5 comments
Closed

Gatsby leaks absolute paths of the build machine #3324

tomazy opened this issue Dec 23, 2017 · 5 comments

Comments

@tomazy
Copy link
Contributor

tomazy commented Dec 23, 2017

Description

Gatsby build scripts generate source map files that contain absolute paths to the files in the project. Sometimes they also appear in transpiled JavaScript files (e.g. https://reasonml.github.io/app-5aa43ee45917a3861b72.js - search for "/Users/").
This can expose too much information about the machine used for the build (e.g. current user name, directory naming convention, etc.) which can be a security issue.

Notice that the whole .cache directory is being included in the source maps which contains a lot of information necessary for the build but probably not useful for solving problems in production.

Environment

Gatsby version: v1.9.149
Node.js version: v8.2.1
Operating System: macOS 10.12.6

Actual result

Absolute paths to files on a build machine are publicly exposed.

Expected behavior

  • Use only relative paths (to the root of the project) in transpiled files and source maps.
  • Don't include contents of .cache directory in source maps.

Steps to reproduce

1.

cd /tmp
gatsby new my-secret-project

2.

cd my-secret-project
npm run build

3.

grep "/tmp/my-secret-project" -l -r .cache public
.cache/api-runner-browser.js
.cache/api-runner-ssr.js
.cache/async-requires.js
.cache/layouts/index.js
.cache/redux-state.json
.cache/sync-requires.js
public/app-cbee66f3f91d7ba4901e.js.map
public/commons-f1ef510847f79fa0a799.js.map
public/component---src-layouts-index-js-cef2c4879611be89a02a.js.map
public/render-page.js.map
@tomazy
Copy link
Contributor Author

tomazy commented Dec 23, 2017

We should also remove public/render-page.js.map during build. Or maybe it would be better not to generate it at all?

public/render-page.js is being used by static-site-generator-plugin

@tomazy tomazy mentioned this issue Dec 23, 2017
Merged
@KyleAMathews
Copy link
Contributor

This was fixed in #3326 thanks @tomazy!

@tomazy
Copy link
Contributor Author

tomazy commented Jan 29, 2018

@KyleAMathews #3326 fixed only a part of the problem.
You can see that absolute paths are still exposed by running in your project dir:

grep -e "`pwd`" -r public -l

I'm not sure yet if it's gatsby specific problem or it's here because webpack generates the source maps with absolute paths.

One way of fixing this would be disabling the generation of the source maps by default.
People are usually not aware that the source maps expose the full source code of the application (including comments like TODO, commented out secret credentials, etc).

@KyleAMathews
Copy link
Contributor

@tomazy I'd be up for a disabling source maps by default in production for v2. I agree it's probably something that should be opted into. Could you create an issue for that and if you have time, work on a PR for that?

@tomazy
Copy link
Contributor Author

tomazy commented Jan 31, 2018

Ok, I'll try to do it asap.

@tomazy tomazy mentioned this issue Feb 2, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KyleAMathews @tomazy