Skip to content

block swagger routes#1599

Merged
stefangutica merged 3 commits intodevelopmentfrom
resticted-routes
Apr 28, 2026
Merged

block swagger routes#1599
stefangutica merged 3 commits intodevelopmentfrom
resticted-routes

Conversation

@stefangutica
Copy link
Copy Markdown
Collaborator

@stefangutica stefangutica commented Apr 27, 2026

Reasoning

  • Prevent the exposure of internal application data (project structure, dependency versions) via direct access to package.json files.
  • Static routes generated by Swagger publicly exposed these files, representing an information disclosure/security risk.

Proposed Changes

  • Added RestrictedRoutesMiddleware configured to intercept and block a specific array of sensitive routes.
  • The middleware forces an immediate 404 Not Found response for /docs/package.json and /package.json.
  • Registered the middleware at the topmost level in main.ts (directly on the Express instance) before Swagger initialization, using .bind() to preserve the class context.

How to test

  • Access http://localhost:<port>/package.json in a browser or Postman -> Verify it returns a 404 Not Found.
  • Access http://localhost:<port>/docs/package.json -> Verify it returns a 404 Not Found.
  • Access the Swagger UI (http://localhost:<port>/docs) and standard API endpoints -> Verify they load and function normally without being blocked.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 27, 2026
edited
Loading

k6 load testing comparison.
Base Commit Hash: 79b2062
Target Commit Hash: aa70442

Metric Base Target Diff
AvgMax9095AvgMax9095AvgMax9095
Nodes67.86444.5671.9375.5297.7621003.8868.2574.22+44.07% 🔴+4624.64% 🔴-5.12% ✅-1.72% ✅
Tokens68.561317.0772.0275.3452.77194.4765.6368.53-23.04% ✅-85.23% ✅-8.87% ✅-9.04% ✅
Transactions81.722475.8472.6177.96120.6223801.6568.9979.94+47.59% 🔴+861.36% 🔴-4.99% ✅+2.54% 🔴
Mex68.991530.7871.9775.2853.60784.8865.6968.77-22.30% ✅-48.73% ✅-8.73% ✅-8.64% ✅
Blocks78.28736.4472.7779.4863.311722.9266.8072.50-19.13% ✅+133.95% 🔴-8.20% ✅-8.78% ✅
Accounts69.241429.0871.9475.0154.461262.6965.8069.10-21.34% ✅-11.64% ✅-8.54% ✅-7.89% ✅
Pool67.90467.6872.1175.1952.99307.8265.6468.54-21.96% ✅-34.18% ✅-8.98% ✅-8.84% ✅
Test Run Duration60003.4960004.66

Legend: Avg - Average Response Time, Max - Maximum Response Time, 90 - 90th Percentile, 95 - 95th Percentile
All times are in milliseconds.

@stefangutica stefangutica merged commit fa749f8 into development Apr 28, 2026
6 checks passed
@stefangutica stefangutica deleted the resticted-routes branch April 28, 2026 06:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claudiulataretu claudiulataretu claudiulataretu approved these changes

@evelinemolnar evelinemolnar evelinemolnar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stefangutica @claudiulataretu @evelinemolnar