Stop leaking Package.json

scottie1984 · Mar 21, 2020 · da6d0e2 · da6d0e2
1 parent 98f40f8
commit da6d0e2
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 4 deletions.
diff --git a/index.js b/index.js
@@ -178,19 +178,21 @@ var generateHTML = function (swaggerDoc, opts, options, customCss, customfavIcon
 }
 
 var setup = function (swaggerDoc, opts, options, customCss, customfavIcon, swaggerUrl, customSiteTitle) {
-  var html = generateHTML(swaggerDoc, opts, options, customCss, customfavIcon, swaggerUrl, customSiteTitle, htmlTplString, jsTplString)
   return function (req, res) {
     if (req.swaggerDoc) {
       var reqHtml = generateHTML(req.swaggerDoc, opts, options, customCss, customfavIcon, swaggerUrl, customSiteTitle, htmlTplString, jsTplString)
       res.send(reqHtml)
     } else {
+      var html = generateHTML(swaggerDoc, opts, options, customCss, customfavIcon, swaggerUrl, customSiteTitle, htmlTplString, jsTplString)
       res.send(html)
     }
   }
 }
 
 function swaggerInitFn(req, res, next) {
-  if (req.url === '/swagger-ui-init.js') {
+  if (req.url === '/package.json') {
+    res.sendStatus(404)
+  } else if (req.url === '/swagger-ui-init.js') {
     res.set('Content-Type', 'application/javascript')
     res.send(swaggerInit)
   } else {
@@ -201,7 +203,9 @@ function swaggerInitFn(req, res, next) {
 var swaggerInitFunction = function (swaggerDoc, opts) {
   var swaggerInitFile = jsTplString.toString().replace('<% swaggerOptions %>', stringify(opts))
   return function (req, res, next) {
-    if (req.url === '/swagger-ui-init.js') {
+    if (req.url === '/package.json') {
+      res.sendStatus(404)
+    } else if (req.url === '/swagger-ui-init.js') {
       res.set('Content-Type', 'application/javascript')
       res.send(swaggerInitFile)
     } else {

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "swagger-ui-express",
-  "version": "4.1.3",
+  "version": "4.1.4",
   "description": "Swagger UI Express",
   "main": "./index.js",
   "files": [

diff --git a/test/test.spec.js b/test/test.spec.js
@@ -159,4 +159,16 @@ describe('integration', function() {
         done(err);
       });
   });
+
+  it('should not leak package.json', function(done) {
+    sitepage.open('http://localhost:3001/api-docs/package.json')
+      .then(() => sitepage.evaluate(function () { return document.querySelector('body').innerText }))
+      .then(body => {
+        assert.equal('Not Found', body);
+        done()
+      })
+      .catch(function(err) {
+        done(err);
+      });
+  });
 });