Deployment

.github/dependabot.yml

@@ -6,6 +6,11 @@ updates:
     directory: '/'
     schedule:
       interval: 'weekly'
+    groups:
+      minor-and-patch:
+        update-types:
+          - 'patch'
+          - 'minor'
     ignore:
       # we want LTS version of node and not suggested current version
       - dependency-name: '@types/node'

.github/workflows/checks.yml

@@ -10,34 +10,34 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/setup-node
       - run: yarn test
 
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/setup-node
       - run: yarn build --env production
 
   eslint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/setup-node
       - run: yarn lint:eslint
 
   prettier:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/setup-node
       - run: yarn lint:prettier
 
   tsc:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/setup-node
       - run: yarn lint:tsc

.github/workflows/deploy.yml

@@ -9,7 +9,7 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/setup-node
       - run: yarn deploy --env ${GITHUB_REF_NAME}
         env:

.tool-versions

@@ -1 +1 @@
-nodejs 20.12.1
+nodejs 24.9.0

__tests__/__utils__/services/database.ts

@@ -1,7 +1,6 @@
 import { Instance } from '../../../src/utils'
 
 declare global {
-  // eslint-disable-next-line no-var
   var uuids: Uuid[]
 }
 

__tests__/__utils__/test-environment.ts

@@ -12,7 +12,6 @@ import { CFEnvironment, CFVariables, isInstance } from '../../src/utils'
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
 
 declare global {
-  // eslint-disable-next-line no-var
   var server: ReturnType<typeof import('msw/node').setupServer>
 }
 

__tests__/block-common-hacker-paths.ts

@@ -0,0 +1,77 @@
+import { givenUuid, currentTestEnvironment } from './__utils__'
+import { Instance } from '../src/utils'
+
+describe('blocks common hacker paths', () => {
+  const env = currentTestEnvironment()
+
+  beforeEach(() => {
+    givenUuid({
+      __typename: 'Article',
+      alias: '/legitimate-path',
+      content: 'legitimate content',
+      instance: Instance.En,
+    })
+  })
+
+  test.each([
+    '/.env',
+    '/.git',
+    '/.aws/config',
+    '/.ssh/id_rsa',
+    '/.docker/config',
+    '/config.json',
+    '/config.php',
+    '/configuration.php',
+  ])('blocks file-based attack path: %s', async (path) => {
+    const response = await env.fetch({ subdomain: 'en', pathname: path })
+    expect(response.status).toBe(404)
+  })
+
+  test.each([
+    '/wp-admin',
+    '/wp-login.php',
+    '/wp-content/plugins',
+    '/wp-includes/file.php',
+    '/xmlrpc.php',
+    '/wp-config.php',
+  ])('blocks WordPress-related path: %s', async (path) => {
+    const response = await env.fetch({ subdomain: 'en', pathname: path })
+    expect(response.status).toBe(404)
+  })
+
+  test.each([
+    '/phpmyadmin',
+    '/pma',
+    '/admin',
+    '/administrator',
+    '/cpanel',
+    '/plesk',
+    '/webmail',
+    '/joomla/admin',
+    '/drupal/admin',
+  ])('blocks CMS and admin panel path: %s', async (path) => {
+    const response = await env.fetch({ subdomain: 'en', pathname: path })
+    expect(response.status).toBe(404)
+  })
+
+  test.each([
+    '/test.php',
+    '/index.asp',
+    '/default.aspx',
+    '/login.jsp',
+    '/script.cgi',
+    '/file.pl',
+  ])('blocks disallowed file extension: %s', async (path) => {
+    const response = await env.fetch({ subdomain: 'en', pathname: path })
+    expect(response.status).toBe(404)
+  })
+
+  test('legitimate paths still work and redirect properly', async () => {
+    const response = await env.fetch({
+      subdomain: 'en',
+      pathname: '/legitimate-path',
+    })
+    // This should not be blocked and should work as normal
+    expect(response.status).not.toBe(404)
+  })
+})

__tests__/redirects.ts

@@ -45,24 +45,16 @@ test('de.serlo.org/datenschutz', async () => {
   expectToBeRedirectTo(response, target, 301)
 })
 
-test('de.serlo.org/impressum', async () => {
-  const response = await env.fetch({
-    subdomain: 'de',
-    pathname: '/impressum',
-  })
-
-  const target = 'https://de.serlo.org/legal'
-  expectToBeRedirectTo(response, target, 301)
-})
-
-test('de.serlo.org/impressum', async () => {
-  const response = await env.fetch({
-    subdomain: 'de',
-    pathname: '/imprint',
-  })
-
-  const target = 'https://de.serlo.org/legal'
-  expectToBeRedirectTo(response, target, 301)
+describe('Imprint', () => {
+  test.each(['/impressum', '/imprint', '/legal'])(
+    'de.serlo.org%s',
+    async (pathname) => {
+      const response = await env.fetch({ subdomain: 'de', pathname })
+
+      const target = 'https://chancenwerk.de/impressum/'
+      expectToBeRedirectTo(response, target, 302)
+    },
+  )
 })
 
 test('de.serlo.org/nutzungsbedingungen ', async () => {

jest.config.json

@@ -3,8 +3,7 @@
     "^.+\\.tsx?$": [
       "ts-jest",
       {
-        "useESM": true,
-        "isolatedModules": true
+        "useESM": true
       }
     ]
   },

jest.setup.ts

@@ -82,8 +82,6 @@ function mockSentryServer() {
 export {}
 
 declare global {
-  // eslint-disable-next-line no-var
   var server: ReturnType<typeof import('msw/node').setupServer>
-  // eslint-disable-next-line no-var
   var sentryEvents: SentryEvent[]
 }

package.json

@@ -30,45 +30,46 @@
     "test:staging": "cross-env TEST_ENVIRONMENT=staging yarn test --runInBand"
   },
   "dependencies": {
-    "fp-ts": "^2.16.9",
+    "fp-ts": "^2.16.11",
     "io-ts": "^2.2.22",
-    "jose": "^6.0.10",
+    "jose": "^6.1.0",
     "toucan-js": "^4.1.1"
   },
   "devDependencies": {
-    "@cloudflare/workers-types": "^4.20250421.0",
-    "@eslint/compat": "^1.2.8",
+    "@cloudflare/workers-types": "^4.20251011.0",
+    "@eslint/compat": "^1.4.0",
     "@eslint/eslintrc": "^3.3.1",
-    "@eslint/js": "^9.25.1",
+    "@eslint/js": "^9.37.0",
     "@iarna/toml": "^2.2.5",
-    "@jest/globals": "^29.7.0",
-    "@sentry/core": "^9.10.1",
-    "@testing-library/jest-dom": "^6.6.3",
+    "@jest/globals": "^30.2.0",
+    "@sentry/core": "^10.19.0",
+    "@testing-library/jest-dom": "^6.9.1",
     "@types/iarna__toml": "^2.0.5",
-    "@types/jest": "^29.5.14",
-    "@typescript-eslint/eslint-plugin": "^8.31.0",
-    "@typescript-eslint/parser": "^8.31.0",
-    "cross-env": "^7.0.3",
+    "@types/jest": "^30.0.0",
+    "@types/node": "24.7.2",
+    "@typescript-eslint/eslint-plugin": "^8.46.1",
+    "@typescript-eslint/parser": "^8.46.1",
+    "cross-env": "^10.1.0",
     "depcheck": "^1.4.7",
-    "eslint": "^9.25.1",
-    "eslint-config-prettier": "^10.1.2",
+    "eslint": "^9.37.0",
+    "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-deprecation": "^3.0.0",
-    "eslint-plugin-import": "^2.31.0",
+    "eslint-plugin-import": "^2.32.0",
     "eslint-plugin-react": "^7.37.5",
-    "globals": "^16.0.0",
-    "jest": "^29.7.0",
-    "msw": "^2.7.3",
+    "globals": "^16.4.0",
+    "jest": "^30.2.0",
+    "msw": "^2.11.5",
     "npm-run-all": "^4.1.5",
-    "prettier": "^3.5.3",
-    "prettier-plugin-packagejson": "^2.5.10",
-    "prettier-plugin-sh": "^0.17.2",
-    "ts-jest": "^29.3.2",
+    "prettier": "^3.6.2",
+    "prettier-plugin-packagejson": "^2.5.19",
+    "prettier-plugin-sh": "^0.18.0",
+    "ts-jest": "^29.4.5",
     "ts-unused-exports": "^11.0.1",
-    "typescript": "^5.8.3",
-    "wrangler": "^4.8.0"
+    "typescript": "^5.9.3",
+    "wrangler": "^4.42.2"
   },
   "packageManager": "yarn@3.6.0",
   "engines": {
-    "node": "^20.0.0"
+    "node": "^24.0.0"
   }
 }

scripts/run_all_checks.sh

@@ -35,7 +35,7 @@ function main() {
   yarn test
 
   print_header "Run build"
-  yarn build
+  yarn build --env staging
 }
 
 function test_no_uncommitted_changes_when_pushing() {

src/block-common-hacker-paths.ts

@@ -0,0 +1,73 @@
+import { Url, isInstance } from './utils'
+
+export function blockCommonHackerPaths(request: Request) {
+  const url = Url.fromRequest(request)
+
+  if (isInstance(url.subdomain)) {
+    // Block common hacker paths with 404 response
+    if (isCommonHackerPath(url.pathname)) {
+      return new Response('Not Found', { status: 404 })
+    }
+  }
+
+  return null
+}
+
+function isCommonHackerPath(path: string): boolean {
+  const lowerPath = path.toLowerCase()
+
+  // Common file-based attacks
+  if (
+    lowerPath.startsWith('/.env') ||
+    lowerPath.startsWith('/.git') ||
+    lowerPath.startsWith('/.aws') ||
+    lowerPath.startsWith('/.ssh') ||
+    lowerPath.startsWith('/.docker') ||
+    lowerPath === '/config.json' ||
+    lowerPath === '/config.php' ||
+    lowerPath === '/configuration.php'
+  ) {
+    return true
+  }
+
+  // WordPress-related paths
+  if (
+    lowerPath.startsWith('/wp-admin') ||
+    lowerPath.startsWith('/wp-login') ||
+    lowerPath.startsWith('/wp-content') ||
+    lowerPath.startsWith('/wp-includes') ||
+    lowerPath === '/xmlrpc.php' ||
+    lowerPath === '/wp-config.php'
+  ) {
+    return true
+  }
+
+  // Other CMS and admin panels
+  if (
+    lowerPath.startsWith('/phpmyadmin') ||
+    lowerPath.startsWith('/pma') ||
+    lowerPath.startsWith('/admin') ||
+    lowerPath.startsWith('/administrator') ||
+    lowerPath.startsWith('/cpanel') ||
+    lowerPath.startsWith('/plesk') ||
+    lowerPath.startsWith('/webmail') ||
+    lowerPath.startsWith('/joomla') ||
+    lowerPath.startsWith('/drupal')
+  ) {
+    return true
+  }
+
+  // Common file extensions that Serlo doesn't use
+  if (
+    lowerPath.endsWith('.php') ||
+    lowerPath.endsWith('.asp') ||
+    lowerPath.endsWith('.aspx') ||
+    lowerPath.endsWith('.jsp') ||
+    lowerPath.endsWith('.cgi') ||
+    lowerPath.endsWith('.pl')
+  ) {
+    return true
+  }
+
+  return false
+}

src/index.ts

@@ -2,6 +2,7 @@ import { api } from './api'
 import { assetProxy } from './asset-proxy'
 import { semanticFileNames } from './assets'
 import { auth } from './auth'
+import { blockCommonHackerPaths } from './block-common-hacker-paths'
 import { cloudflareWorkerDev } from './cloudflare-worker-dev'
 import { redirectToCurrentAlias } from './current-alias-redirects'
 import { embed } from './embed'
@@ -30,6 +31,7 @@ export default {
         (await quickbarProxy(request, sentryFactory)) ||
         (await pdfProxy(request, sentryFactory)) ||
         robotsTxt(request, env) ||
+        blockCommonHackerPaths(request) ||
         (await frontendSpecialPaths(request, sentryFactory, env)) ||
         sentryHelloWorld(request, sentryFactory) ||
         redirects(request, env) ||

src/redirects.ts

@@ -51,7 +51,8 @@ export function redirects(request: Request, env: CFEnvironment) {
         return Response.redirect('https://de.serlo.org/privacy', 301)
       case '/impressum':
       case '/imprint':
-        return Response.redirect('https://de.serlo.org/legal', 301)
+      case '/legal':
+        return Response.redirect('https://chancenwerk.de/impressum/', 302)
       case '/nutzungsbedingungen':
       case '/21654':
       case '/21654/nutzungsbedingungen-und-urheberrecht':