Merge pull request #1160 from serlo/staging

kulla · web-flow · commit 192cf6051ec6 · 2025-10-20T22:31:16.000+02:00
Deployment
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -6,6 +6,11 @@ updates:
     directory: '/'
     schedule:
       interval: 'weekly'
+    groups:
+      minor-and-patch:
+        update-types:
+          - 'patch'
+          - 'minor'
     ignore:
       # we want LTS version of node and not suggested current version
       - dependency-name: '@types/node'
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -10,34 +10,34 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/setup-node
       - run: yarn test
 
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/setup-node
       - run: yarn build --env production
 
   eslint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/setup-node
       - run: yarn lint:eslint
 
   prettier:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/setup-node
       - run: yarn lint:prettier
 
   tsc:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/setup-node
       - run: yarn lint:tsc
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -9,7 +9,7 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/setup-node
       - run: yarn deploy --env ${GITHUB_REF_NAME}
         env:
diff --git a/.tool-versions b/.tool-versions
@@ -1 +1 @@
-nodejs 20.12.1
+nodejs 24.9.0
diff --git a/__tests__/__utils__/services/database.ts b/__tests__/__utils__/services/database.ts
@@ -1,7 +1,6 @@
 import { Instance } from '../../../src/utils'
 
 declare global {
-  // eslint-disable-next-line no-var
   var uuids: Uuid[]
 }
 
diff --git a/__tests__/__utils__/test-environment.ts b/__tests__/__utils__/test-environment.ts
@@ -12,7 +12,6 @@ import { CFEnvironment, CFVariables, isInstance } from '../../src/utils'
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
 
 declare global {
-  // eslint-disable-next-line no-var
   var server: ReturnType<typeof import('msw/node').setupServer>
 }
 
diff --git a/__tests__/block-common-hacker-paths.ts b/__tests__/block-common-hacker-paths.ts
@@ -0,0 +1,77 @@
+import { givenUuid, currentTestEnvironment } from './__utils__'
+import { Instance } from '../src/utils'
+
+describe('blocks common hacker paths', () => {
+  const env = currentTestEnvironment()
+
+  beforeEach(() => {
+    givenUuid({
+      __typename: 'Article',
+      alias: '/legitimate-path',
+      content: 'legitimate content',
+      instance: Instance.En,
+    })
+  })
+
+  test.each([
+    '/.env',
+    '/.git',
+    '/.aws/config',
+    '/.ssh/id_rsa',
+    '/.docker/config',
+    '/config.json',
+    '/config.php',
+    '/configuration.php',
+  ])('blocks file-based attack path: %s', async (path) => {
+    const response = await env.fetch({ subdomain: 'en', pathname: path })
+    expect(response.status).toBe(404)
+  })
+
+  test.each([
+    '/wp-admin',
+    '/wp-login.php',
+    '/wp-content/plugins',
+    '/wp-includes/file.php',
+    '/xmlrpc.php',
+    '/wp-config.php',
+  ])('blocks WordPress-related path: %s', async (path) => {
+    const response = await env.fetch({ subdomain: 'en', pathname: path })
+    expect(response.status).toBe(404)
+  })
+
+  test.each([
+    '/phpmyadmin',
+    '/pma',
+    '/admin',
+    '/administrator',
+    '/cpanel',
+    '/plesk',
+    '/webmail',
+    '/joomla/admin',
+    '/drupal/admin',
+  ])('blocks CMS and admin panel path: %s', async (path) => {
+    const response = await env.fetch({ subdomain: 'en', pathname: path })
+    expect(response.status).toBe(404)
+  })
+
+  test.each([
+    '/test.php',
+    '/index.asp',
+    '/default.aspx',
+    '/login.jsp',
+    '/script.cgi',
+    '/file.pl',
+  ])('blocks disallowed file extension: %s', async (path) => {
+    const response = await env.fetch({ subdomain: 'en', pathname: path })
+    expect(response.status).toBe(404)
+  })
+
+  test('legitimate paths still work and redirect properly', async () => {
+    const response = await env.fetch({
+      subdomain: 'en',
+      pathname: '/legitimate-path',
+    })
+    // This should not be blocked and should work as normal
+    expect(response.status).not.toBe(404)
+  })
+})
diff --git a/__tests__/redirects.ts b/__tests__/redirects.ts
@@ -45,24 +45,16 @@ test('de.serlo.org/datenschutz', async () => {
   expectToBeRedirectTo(response, target, 301)
 })
 
-test('de.serlo.org/impressum', async () => {
-  const response = await env.fetch({
-    subdomain: 'de',
-    pathname: '/impressum',
-  })
-
-  const target = 'https://de.serlo.org/legal'
-  expectToBeRedirectTo(response, target, 301)
-})
-
-test('de.serlo.org/impressum', async () => {
-  const response = await env.fetch({
-    subdomain: 'de',
-    pathname: '/imprint',
-  })
-
-  const target = 'https://de.serlo.org/legal'
-  expectToBeRedirectTo(response, target, 301)
+describe('Imprint', () => {
+  test.each(['/impressum', '/imprint', '/legal'])(
+    'de.serlo.org%s',
+    async (pathname) => {
+      const response = await env.fetch({ subdomain: 'de', pathname })
+
+      const target = 'https://chancenwerk.de/impressum/'
+      expectToBeRedirectTo(response, target, 302)
+    },
+  )
 })
 
 test('de.serlo.org/nutzungsbedingungen ', async () => {
diff --git a/jest.config.json b/jest.config.json
@@ -3,8 +3,7 @@
     "^.+\\.tsx?$": [
       "ts-jest",
       {
-        "useESM": true,
-        "isolatedModules": true
+        "useESM": true
       }
     ]
   },
diff --git a/jest.setup.ts b/jest.setup.ts
@@ -82,8 +82,6 @@ function mockSentryServer() {
 export {}
 
 declare global {
-  // eslint-disable-next-line no-var
   var server: ReturnType<typeof import('msw/node').setupServer>
-  // eslint-disable-next-line no-var
   var sentryEvents: SentryEvent[]
 }
diff --git a/package.json b/package.json
@@ -30,45 +30,46 @@
     "test:staging": "cross-env TEST_ENVIRONMENT=staging yarn test --runInBand"
   },
   "dependencies": {
-    "fp-ts": "^2.16.9",
+    "fp-ts": "^2.16.11",
     "io-ts": "^2.2.22",
-    "jose": "^6.0.10",
+    "jose": "^6.1.0",
     "toucan-js": "^4.1.1"
   },
   "devDependencies": {
-    "@cloudflare/workers-types": "^4.20250421.0",
-    "@eslint/compat": "^1.2.8",
+    "@cloudflare/workers-types": "^4.20251011.0",
+    "@eslint/compat": "^1.4.0",
     "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.25.1",
+    "@eslint/js": "^9.37.0",
     "@iarna/toml": "^2.2.5",
-    "@jest/globals": "^29.7.0",
-    "@sentry/core": "^9.10.1",
-    "@testing-library/jest-dom": "^6.6.3",
+    "@jest/globals": "^30.2.0",
+    "@sentry/core": "^10.19.0",
+    "@testing-library/jest-dom": "^6.9.1",
     "@types/iarna__toml": "^2.0.5",
-    "@types/jest": "^29.5.14",
-    "@typescript-eslint/eslint-plugin": "^8.31.0",
-    "@typescript-eslint/parser": "^8.31.0",
-    "cross-env": "^7.0.3",
+    "@types/jest": "^30.0.0",
+    "@types/node": "24.7.2",
+    "@typescript-eslint/eslint-plugin": "^8.46.1",
+    "@typescript-eslint/parser": "^8.46.1",
+    "cross-env": "^10.1.0",
     "depcheck": "^1.4.7",
-    "eslint": "^9.25.1",
-    "eslint-config-prettier": "^10.1.2",
+    "eslint": "^9.37.0",
+    "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-deprecation": "^3.0.0",
-    "eslint-plugin-import": "^2.31.0",
+    "eslint-plugin-import": "^2.32.0",
     "eslint-plugin-react": "^7.37.5",
-    "globals": "^16.0.0",
-    "jest": "^29.7.0",
-    "msw": "^2.7.3",
+    "globals": "^16.4.0",
+    "jest": "^30.2.0",
+    "msw": "^2.11.5",
     "npm-run-all": "^4.1.5",
-    "prettier": "^3.5.3",
-    "prettier-plugin-packagejson": "^2.5.10",
-    "prettier-plugin-sh": "^0.17.2",
-    "ts-jest": "^29.3.2",
+    "prettier": "^3.6.2",
+    "prettier-plugin-packagejson": "^2.5.19",
+    "prettier-plugin-sh": "^0.18.0",
+    "ts-jest": "^29.4.5",
     "ts-unused-exports": "^11.0.1",
-    "typescript": "^5.8.3",
-    "wrangler": "^4.8.0"
+    "typescript": "^5.9.3",
+    "wrangler": "^4.42.2"
   },
   "packageManager": "yarn@3.6.0",
   "engines": {
-    "node": "^20.0.0"
+    "node": "^24.0.0"
   }
 }
diff --git a/scripts/run_all_checks.sh b/scripts/run_all_checks.sh
@@ -35,7 +35,7 @@ function main() {
   yarn test
 
   print_header "Run build"
-  yarn build
+  yarn build --env staging
 }
 
 function test_no_uncommitted_changes_when_pushing() {
diff --git a/src/block-common-hacker-paths.ts b/src/block-common-hacker-paths.ts
@@ -0,0 +1,73 @@
+import { Url, isInstance } from './utils'
+
+export function blockCommonHackerPaths(request: Request) {
+  const url = Url.fromRequest(request)
+
+  if (isInstance(url.subdomain)) {
+    // Block common hacker paths with 404 response
+    if (isCommonHackerPath(url.pathname)) {
+      return new Response('Not Found', { status: 404 })
+    }
+  }
+
+  return null
+}
+
+function isCommonHackerPath(path: string): boolean {
+  const lowerPath = path.toLowerCase()
+
+  // Common file-based attacks
+  if (
+    lowerPath.startsWith('/.env') ||
+    lowerPath.startsWith('/.git') ||
+    lowerPath.startsWith('/.aws') ||
+    lowerPath.startsWith('/.ssh') ||
+    lowerPath.startsWith('/.docker') ||
+    lowerPath === '/config.json' ||
+    lowerPath === '/config.php' ||
+    lowerPath === '/configuration.php'
+  ) {
+    return true
+  }
+
+  // WordPress-related paths
+  if (
+    lowerPath.startsWith('/wp-admin') ||
+    lowerPath.startsWith('/wp-login') ||
+    lowerPath.startsWith('/wp-content') ||
+    lowerPath.startsWith('/wp-includes') ||
+    lowerPath === '/xmlrpc.php' ||
+    lowerPath === '/wp-config.php'
+  ) {
+    return true
+  }
+
+  // Other CMS and admin panels
+  if (
+    lowerPath.startsWith('/phpmyadmin') ||
+    lowerPath.startsWith('/pma') ||
+    lowerPath.startsWith('/admin') ||
+    lowerPath.startsWith('/administrator') ||
+    lowerPath.startsWith('/cpanel') ||
+    lowerPath.startsWith('/plesk') ||
+    lowerPath.startsWith('/webmail') ||
+    lowerPath.startsWith('/joomla') ||
+    lowerPath.startsWith('/drupal')
+  ) {
+    return true
+  }
+
+  // Common file extensions that Serlo doesn't use
+  if (
+    lowerPath.endsWith('.php') ||
+    lowerPath.endsWith('.asp') ||
+    lowerPath.endsWith('.aspx') ||
+    lowerPath.endsWith('.jsp') ||
+    lowerPath.endsWith('.cgi') ||
+    lowerPath.endsWith('.pl')
+  ) {
+    return true
+  }
+
+  return false
+}
diff --git a/src/index.ts b/src/index.ts
@@ -2,6 +2,7 @@ import { api } from './api'
 import { assetProxy } from './asset-proxy'
 import { semanticFileNames } from './assets'
 import { auth } from './auth'
+import { blockCommonHackerPaths } from './block-common-hacker-paths'
 import { cloudflareWorkerDev } from './cloudflare-worker-dev'
 import { redirectToCurrentAlias } from './current-alias-redirects'
 import { embed } from './embed'
@@ -30,6 +31,7 @@ export default {
         (await quickbarProxy(request, sentryFactory)) ||
         (await pdfProxy(request, sentryFactory)) ||
         robotsTxt(request, env) ||
+        blockCommonHackerPaths(request) ||
         (await frontendSpecialPaths(request, sentryFactory, env)) ||
         sentryHelloWorld(request, sentryFactory) ||
         redirects(request, env) ||
diff --git a/src/redirects.ts b/src/redirects.ts
@@ -51,7 +51,8 @@ export function redirects(request: Request, env: CFEnvironment) {
         return Response.redirect('https://de.serlo.org/privacy', 301)
       case '/impressum':
       case '/imprint':
-        return Response.redirect('https://de.serlo.org/legal', 301)
+      case '/legal':
+        return Response.redirect('https://chancenwerk.de/impressum/', 302)
       case '/nutzungsbedingungen':
       case '/21654':
       case '/21654/nutzungsbedingungen-und-urheberrecht':
diff --git a/tsconfig.json b/tsconfig.json
diff --git a/yarn.lock b/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`import { Instance } from '../../../src/utils'`
`2`	`2`
`3`	`3`	`declare global {`
`4`		`- // eslint-disable-next-line no-var`
`5`	`4`	`var uuids: Uuid[]`
`6`	`5`	`}`
`7`	`6`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,6 @@ import { CFEnvironment, CFVariables, isInstance } from '../../src/utils'`
`12`	`12`	`const __dirname = path.dirname(fileURLToPath(import.meta.url))`
`13`	`13`
`14`	`14`	`declare global {`
`15`		`- // eslint-disable-next-line no-var`
`16`	`15`	`var server: ReturnType<typeof import('msw/node').setupServer>`
`17`	`16`	`}`
`18`	`17`
Original file line number	Diff line number	Diff line change
`@@ -3,8 +3,7 @@`
`3`	`3`	`"^.+\\.tsx?$": [`
`4`	`4`	`"ts-jest",`
`5`	`5`	`{`
`6`		`- "useESM": true,`
`7`		`- "isolatedModules": true`
	`6`	`+ "useESM": true`
`8`	`7`	`}`
`9`	`8`	`]`
`10`	`9`	`},`
Original file line number	Diff line number	Diff line change
`@@ -82,8 +82,6 @@ function mockSentryServer() {`
`82`	`82`	`export {}`
`83`	`83`
`84`	`84`	`declare global {`
`85`		`- // eslint-disable-next-line no-var`
`86`	`85`	`var server: ReturnType<typeof import('msw/node').setupServer>`
`87`		`- // eslint-disable-next-line no-var`
`88`	`86`	`var sentryEvents: SentryEvent[]`
`89`	`87`	`}`