feat: avoid serving hidden files by default (reenable with --serve-hidden); fixes #211

brettz9 · brettz9 · commit 6de8abe641ce · 2025-10-14T15:30:11.000-07:00
Also:
- fix: ensure `--default-extension` and `--server-info` are settable by CLI
diff --git a/CHANGES.md b/CHANGES.md
@@ -7,6 +7,7 @@
 - **Breaking change** (npm): Set `engines` to 20.11.0+
 - **Breaking change**: Add `type: 'module'` and `exports` to `package.json`;
     change internal CJS path
+- **Breaking change**: avoid serving hidden files by default (reenable with `--serve-hidden`/`serveHidden`)
 - Security: Fix dependency vulnerabilities by switching from `optimist` to
     `command-line-basics` (@brettz9)
 - Security: Update `mime` and `colors` (@fidian) and pin `colors`
@@ -27,6 +28,7 @@
 - Fix: path should be more generous in unescaping anything valid in a
     path (such as a hash)
 - Fix: Avoid logging range errors to console
+- Fix: ensure `--default-extension` and `--server-info` are settable by CLI
 - Fix: change `fs.createReadStream()` mode to integer (@pixcai)
 - Enhancement: TypeScript support
 - Enhancement: Allow access with local ip (@flyingsky)
diff --git a/bin/cli.js b/bin/cli.js
@@ -74,6 +74,18 @@ if (args['index-file']) {
     options.indexFile = args['index-file'];
 }
 
+if (args['default-extension']) {
+    options.defaultExtension = args['default-extension'];
+}
+
+if (args['server-info']) {
+    options.serverInfo = args['server-info'];
+}
+
+if (args['serve-hidden']) {
+    options.serveHidden = args['serve-hidden'];
+}
+
 const file = new(statik.Server)(dir, options);
 
 const server = http.createServer(function (request, response) {
diff --git a/bin/optionDefinitions.js b/bin/optionDefinitions.js
@@ -28,6 +28,20 @@ const optionDefinitions = [
         description: '"Cache-Control" header setting. [default: 3600]',
         typeLabel: '{underline SECONDS}'
     },
+    {
+        name: 'default-extension', alias: 'e', type: String,
+        description: 'Optional default extension',
+        typeLabel: '{underline extension name}'
+    },
+    {
+        name: 'server-info', type: String,
+        description: 'Info to indicate in a header about the server',
+        typeLabel: '{underline server info}'
+    },
+    {
+        name: 'serve-hidden', type: Boolean,
+        description: 'Whether to serve hidden files. Defaults to `false`.',
+    },
     {
         name: 'headers', alias: 'H', type: String,
         description: 'Additional headers in JSON format.',
diff --git a/lib/node-static.js b/lib/node-static.js
@@ -4,10 +4,12 @@ import http from 'http';
 import path from 'path';
 // import buffer from 'buffer';
 
+import {isHiddenFile as isHiddenFileOrDirectory} from 'is-hidden-file';
 import mime from 'mime';
 import {minimatch} from 'minimatch';
 import {mstat} from './node-static/util.js';
 
+
 /**
  * @typedef {{
  *   status: number,
@@ -52,6 +54,7 @@ function tryStat(p, callback) {
  *   headers?: http.OutgoingHttpHeaders
  *   serverInfo?: string|null,
  *   cache?: boolean|number|Record<string, number>,
+ *   serveHidden?: boolean,
  *   defaultExtension?: string
  * }} ServerOptions
  */
@@ -266,6 +269,8 @@ class Server extends events.EventEmitter {
                     } else {
                         finish(404, {});
                     }
+                } else if (this.options.serveHidden !== true && isHiddenFileOrDirectory(pathname)) {
+                    finish(404, {});
                 } else if (stat.isFile()) {      // Stream a single file.
                     this.respond(null, status, headers, [pathname], stat, req, res, finish);
                 } else if (stat.isDirectory()) { // Stream a directory of files.
diff --git a/package-lock.json b/package-lock.json
diff --git a/test/fixtures/.hidden-hello.txt b/test/fixtures/.hidden-hello.txt
@@ -0,0 +1 @@
+hello world
diff --git a/test/integration/binary.js b/test/integration/binary.js
@@ -67,6 +67,133 @@ describe('node-static (CLI)', function () {
             assert.equal(text, 'hello world', 'should respond with hello world');
         });
 
+        it('serving file within directory with server info', async function () {
+            const {response /* , stdout */} =
+                /**
+                 * @type {{
+                 *   response: Response,
+                 *   stdout: string
+                 * }}
+                 */ (await spawnConditional(
+                    binFile,
+                    [
+                        '-p', this.port, fixturePath,
+                        '--server-info', 'my-server'
+                    ],
+                    timeout - 9000,
+                    {
+                        condition: /serving ".*?"/,
+                        action: (/* err, stdout */) => {
+                            return fetch(
+                                `http://localhost:${this.port}/hello.txt`
+                            );
+                        }
+                    }));
+
+            const {status} = response;
+            const contentType = response.headers.get('content-type');
+            const server = response.headers.get('server');
+            const text = await response.text();
+
+            assert.equal(status, 200, 'should respond with 200');
+            assert.equal(contentType, 'text/plain', 'should respond with text/plain');
+            assert.equal(server, 'my-server', 'should respond with my-server')
+            assert.equal(text, 'hello world', 'should respond with hello world');
+        });
+
+        it('serving file within directory with default extension', async function () {
+            const {response /* , stdout */} =
+                /**
+                 * @type {{
+                 *   response: Response,
+                 *   stdout: string
+                 * }}
+                 */ (await spawnConditional(
+                    binFile,
+                    [
+                        '-p', this.port, fixturePath,
+                        '--default-extension', 'txt'
+                    ],
+                    timeout - 9000,
+                    {
+                        condition: /serving ".*?"/,
+                        action: (/* err, stdout */) => {
+                            return fetch(
+                                `http://localhost:${this.port}/hello`
+                            );
+                        }
+                    }));
+
+            const {status} = response;
+            const contentType = response.headers.get('content-type');
+            const text = await response.text();
+
+            assert.equal(status, 200, 'should respond with 200');
+            assert.equal(contentType, 'text/plain', 'should respond with text/plain');
+            assert.equal(text, 'hello world', 'should respond with hello world');
+        });
+
+        it('serving file within directory with hidden extension', async function () {
+            const {response /* , stdout */} =
+                /**
+                 * @type {{
+                 *   response: Response,
+                 *   stdout: string
+                 * }}
+                 */ (await spawnConditional(
+                    binFile,
+                    [
+                        '-p', this.port, fixturePath,
+                        '--serve-hidden'
+                    ],
+                    timeout - 9000,
+                    {
+                        condition: /serving ".*?"/,
+                        action: (/* err, stdout */) => {
+                            return fetch(
+                                `http://localhost:${this.port}/.hidden-hello.txt`
+                            );
+                        }
+                    }));
+
+            const {status} = response;
+            const contentType = response.headers.get('content-type');
+            const text = await response.text();
+
+            assert.equal(status, 200, 'should respond with 200');
+            assert.equal(contentType, 'text/plain', 'should respond with text/plain');
+            assert.equal(text, 'hello world', 'should respond with hello world');
+        });
+
+        it('serving 404 for file with hidden extension', async function () {
+            const {response /* , stdout */} =
+                /**
+                 * @type {{
+                 *   response: Response,
+                 *   stdout: string
+                 * }}
+                 */ (await spawnConditional(
+                    binFile,
+                    [
+                        '-p', this.port, fixturePath
+                    ],
+                    timeout - 9000,
+                    {
+                        condition: /serving ".*?"/,
+                        action: (/* err, stdout */) => {
+                            return fetch(
+                                `http://localhost:${this.port}/.hidden-hello.txt`
+                            );
+                        }
+                    }));
+
+            const {status} = response;
+            const text = await response.text();
+
+            assert.equal(status, 404, 'should respond with 404');
+            assert.equal(text, 'Not Found', 'should respond with Not Found');
+        });
+
         it('serving file without directory', async function () {
             const {response /* , stdout */} =
                 /**
