fresh icon indicating copy to clipboard operation
fresh copied to clipboard
verified publisher icon denoland

Static file serving doesn't support symlinks

Open jeffomatic opened this issue 2 years ago • 5 comments

I noticed that Fresh will return 404s for symlinked files placed in the static/ directory. I didn't dig too deeply, but I suspect this could be due to an explicit followSymlinks: false option here.

I'm unsure if this is intentional behavior. If it is, it might be worth mentioning this behavior in the corresponding docs, since I'm probably not the only one who will try this.

I'd also gently suggest that supporting symlinks would be a good thing. I just tested the Golang equivalent (http.FileServer) and it handles symlinks as you'd expect.

jeffomatic avatar Mar 17 '23 15:03 jeffomatic

I'm -1 on allowing symlinks. Seems like a pretty big possible security hole if everyone isn't writing perfect code.

lino-levan avatar Mar 22 '23 18:03 lino-levan

@lino-levan

Seems like a pretty big possible security hole

I think that's a fair concern any time symlinks are involved, but I think in this case, favoring security over composability and principle-of-least-surprise is not the right tradeoff.

Up to this point, we're just talking about personal preferences, but maybe I can try to add a bit more data into the conversation. I'm not aware of any general security principles that advise against using symlinks for static file serving; in fact, following symlinks is default behavior in most of the contexts I can think of. In terms of programming environments, I already mentioned Go, but Express static file serving works this way too. I didn't try it out, but I also wouldn't be surprised if nginx and Apache work this way. As a final example, I will also point out that "follow symlinks" seems to be Deno's own philosophy, because --allow-read will also respect symlinks.

That said, my knowledge of the domain may not be the same as yours. Do you have examples or links to writeups that suggest that static file serving with symlinks is something that should be avoided in general?

jeffomatic avatar Mar 22 '23 19:03 jeffomatic

It depends on the context, I tend to avoid symlinks and http servers in general. What are the advantages of following symlinks? I've never heard of this being used in static file server. What is the use case?

lino-levan avatar Mar 22 '23 20:03 lino-levan

I've just stumbled upon a frankly fringe usecase:

https://resium.reearth.io/installation

I managed to get it to work in fresh up until the point resium wants to fetch stuff from cesium under the /cesium path.

Bildschirmfoto 2023-12-29 um 05 31 18

I tried to fix this by making a symlink (like described in the installation guide above for Next.js) for node_modules/.deno/[email protected]/node_modules/cesium/Build/Cesium in static/cesium, but yeah, it obviously doesn't work because fresh doesn't support symlinks (at least for static assets, I guess?).

The workaround I'll try is copying the files over in my deno dev task before it starts fresh, as that's also apparently the recommended solution for webpack users of resium.

But yeah, I agree with @jeffomatic that fresh should support symlinks here, but obviously as an opt-in flag. Or, could something like this be implemented in a fresh plugin?

nnmrts avatar Dec 29 '23 04:12 nnmrts