Bart/9router
1
0
Fork 0
mirror of https://github.com/decolua/9router.git synced 2026-05-08 12:01:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security)(app): unauthenticated server shutdown endpoint enables d (#519)

Browse Source 
The shutdown API calls `process.exit(0)` on POST without any authentication or authorization checks. Any party that can reach this endpoint can terminate the server process, causing immediate service disruption.

Affected files: route.js

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
This commit is contained in:
tuanaiseo
2026-04-08 15:39:09 +07:00
committed by GitHub
parent 23abe1a7bb
commit 1f3d3a8f7f
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/app/api/shutdown/route.js
View File

@@ -1,6 +1,18 @@
import { NextResponse } from "next/server"; import { NextResponse } from "next/server";
import { headers } from "next/headers";
export async function POST() { export async function POST() {
if (process.env.NODE_ENV === "production") {
return NextResponse.json({ success: false, message: "Not allowed in production" }, { status: 403 });
}
const secret = process.env.SHUTDOWN_SECRET;
const authorization = headers().get("authorization");
if (!secret || authorization !== `Bearer ${secret}`) {
return NextResponse.json({ success: false, message: "Unauthorized" }, { status: 401 });
}
const response = NextResponse.json({ success: true, message: "Shutting down..." }); const response = NextResponse.json({ success: true, message: "Shutting down..." });
setTimeout(() => { setTimeout(() => {