-
Notifications
You must be signed in to change notification settings - Fork 53
TWA 0407
"Package management file being served at: ${url}"
In the message output the variable ${url} is replaced by the served URL of the package management file.
Files of the package manager (e.g. npm for JavaScript, RubyGems for Ruby, Pipenv for Python, Cargo for Rust) used to setup the web server or other applications running on the server should not be published by the web server. A possible attacker should not get information of the internal settings of the web server.
Current (August 2020) the twa script checks the files: '.npmrc', 'package.json', 'package-lock.json', '.gem/credentials', 'Gemfile', 'Gemfile.lock', 'Rakefile', '.pypirc', 'setup.py', 'setup.cfg', 'requirements.txt', 'Pipfile', 'Pipfile.lock', 'Cargo.lock' and 'Cargo.toml'.
Configure the web server to not publish files with internal data.
There exists several configuration options to suppress files with name (pattern) in a blacklist or files not in whitelist. Search the web for examples.