Two months ago I ran a huge global scan for unintentionally exposed .git repositories. I was surprised to find many Python and Ruby applications with this issue. The total number wasn’t very high – around two thousand, but when I normalized it according to the market share of these programming languages, the situation was worse than the case of PHP.

How could it even be possible that this kind of app returns the static files outside its own directory?

So, I did some research of the affected sites and tried to contact their owners for more details. I suspected a misconfigured web server. It is a common technique to let the web server manage the static files. If done incorrectly and your app is placed in the webroot folder, then the web server will serve all existing files – plain source codes included.

And I was right.

The reason

In the Nginx servers configs, I found these 2 common snippets (the issue is the same for Apache):

try_files $uri @app;

and

if (!-f $request_filename) {
proxy_pass @app;
break;
}

The first one is how Nginx checks to see if the file exists (https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#check-if-file-exists). The second one is probably a direct transcription from Apache’s .htaccess rules with the same functionality:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ http://app/$1 [P]

All these rules work in a similar manner:

if requested file doesn’t exists => send request to the app => else serve the requested existing file = big trouble if your application is placed in webroot

Example app:

/static/logo.png
/flaskapp.py (running on port 5000)

Config:

try_files $uri @app;

location @app {
proxy_pass http://127.0.0.1:5000;
...
}

Requests:

• /static/logo.png => file logo.png exists => logo.png returned
• /contacts => file contacts doesn’t exists => request is routed to the application on port 5000
• /flaskapp.py => file exists => the source of flaskapp.py is returned

Examples of tutorials with bad config:

• https://tutos.readthedocs.io/en/latest/source/ndg.html
• https://django-best-practices.readthedocs.io/en/latest/deployment/servers.html

It is easy to find many more of these tutorials and repositories with this bad configuration.

How to do it right?

The golden rule is to not place you application files inside the webroot folder, but, it isn’t always possible. Either way, you can use the following draft of the config:

# serve static files directly from its folder
location /static/ {
alias /.../app/static;
}
# let the app process the rest
location / {
proxy_pass http://127.0.0.1:5000;
}


This is a very serious issue and there are a huge number of affected sites. As I ran more scans focusing on this issue I found more than ten thousand sites in total. The scans weren’t complex, so the actual numbers could be much higher. I tried to contact the authors of the tutorial and examples, but many of them abandoned their projects years ago. My final recommendation: don’t blindly follow every tutorial you find and try to adapt it to your current situation.