Questions tagged [node.js]
Node.js is an event-based, non-blocking, asynchronous I/O framework that uses Google's V8 JavaScript Engine.
177 questions
- Bountied 0
- Unanswered
- Frequent
- Score
- Trending
- Week
- Month
- Unanswered (my tags)
1
vote
0
answers
79
views
How to exploit Object.assign in Express/Mongoose application?
I have a legacy Express/Mongoose application laying around and found a potentially dangerous line of code in it: Object.assign with user input as second argument. I thought it would be a nice exercise ...
-2
votes
1
answer
163
views
Freaked out because of powers of Node.js
My friend and I are making games on RPG Maker and sharing them together. He also makes plugins from ChatGPT.
I asked him for a script for a game crash (horror scene) and they asked "can this ...
0
votes
1
answer
91
views
How risky is running a random nodejs application?
As a web developer, I frequently create minimal reproductions of whatever issue I'm facing, as a Github repo, and post a link to it in the Stack Overflow question or Github Issue thread that I'm ...
1
vote
1
answer
69
views
Is using req.path as a file path in an Express route vulnerable?
Let's say we have this simple Express application
const express = require('express')
const app = express();
app.get("/public/*", (req, res) => {
res.sendFile(req.path);
});
app....
1
vote
1
answer
159
views
Security considerations when using Apache with SSL enabled and Node.JS without SSL
So I have a peculiar setup to work with. The main server is your standard off-the-mill Apache server with SSL enabled bound to a public domain (NOT localhost!). My Node.JS server runs on localhost:...
5
votes
1
answer
372
views
How does AWS Lambda support eol node.js versions
AWS Lambda's support for Node.js and Node.js end of life do not coincide, instead AWS Lambda continues to support the runtime for a few months after the official end of life for a specific Node.js ...
7
votes
1
answer
1k
views
What was the concern that caused the warning in GitHub Actions documentation about setting NODE_OPTIONS?
In the documentation on GitHub Actions there is a note,
Due to security restrictions, GITHUB_ENV cannot be used to set the NODE_OPTIONS environment variable.
What exploit were they trying to ...
1
vote
1
answer
80
views
NodeJS 23 on AWS Lightsail
I use NodeJS on AWS Lightsail and want to upgrade to version 23. I have been using a version packaged by bitnami that boasts "security by default", e.g. with some ports closed. It supports ...
0
votes
0
answers
60
views
benefit to reading sensitive file chunks via a "middleman" shell script?
tldr: is using a script spawned by my main process, which reads only a chunk of a sensitive file then passing the result to my main process - of any benefit?
in contrast to loading the file in my ...
1
vote
1
answer
100
views
How can authenticity be ensured for Node.js packages when using a public registry like npmjs.com?
I was thinking about how to ensure the authenticity of Node.js packages that are installed from a public registry like npmjs.com. The only mechanisms (optionally) in place to my understanding are:
...
0
votes
1
answer
241
views
how to protect a string (secret key) in my env file in node.js project?
I have a node.js project which implement in nest.js framework.
there is some apiKey and secretKey in my env file, I want to protect these keys from anyone, even host administrator. so I compile my ...
0
votes
1
answer
88
views
Running and unknown nodeJS/react app
I made a mistake - i was reached out for work regarding a project. Accidentally built it and ran it locally and it was obviously a bunch of nonsense code designed to look like a normal react project ...
0
votes
1
answer
277
views
Predicting math.random after math.floor
I know math.random() in javascript can be predicted if you know the exact outputs of it, but if I only know what it gives after doing math.floor(100 / (1.0001 - Math.random())), how would I use this ...
0
votes
1
answer
118
views
relation passphrase and password-based key derivation
I am not totally sure how the following concepts are related, could someone please explain?
password-based key derivation
passphrase that can be passed to crypto.generateKeyPairSync (in Node.js)
...
0
votes
0
answers
116
views
Overcoming Middleware: Exploiting XSS to Retrieve Data
I am attempting to perform an XSS attack on my server and have successfully bypassed the CSP. In my server code, I store all users in the following manner:
.get("/users", adminReq, (req, ...