is path of DbBackups secure

1 month ago
Hi,
is path of DbBackups secure ?
Isn't it a security vulnerability to be under wwwroot?
1 week ago
there is no answer ?

public static string DbBackupsPath => "db_backups\\";

wwwroot\db_backups

Doesn't it create a security vulnerability?
1 week ago
The ASP.NET Core templates call UseStaticFiles before calling UseAuthorization. Most apps follow this pattern. When the Static File Middleware is called before the authorization middleware:
-No authorization checks are performed on the static files.
-Static files served by the Static File Middleware, such as those under wwwroot, are publicly accessible.


But in nopCommerce, there is customization for static files. dp_backups folder needs maintenance permission to get access
Please see the code from the image.

1 week ago
how safe is it that the backup folder is the internet accessible folder by default? wwwroot/db_backups
1 week ago
The default directory is {content root}/wwwroot, but it can be changed with the UseWebRoot method.
Any of the project directories can be accessible if you configure them.
We can say it another way, No directory can be accessible if you don't give access.

Please check the document;
Static files in ASP.NET Core https://learn.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-7.0
1 week ago
I mean the backup should not be in the folder open on the internet... How logical is it to put a backup folder in a folder that everyone can access from the web.
it must be in App_Data
public static string DbBackupsPath => "..\\App_Data\\";
1 week ago
suatsuphi wrote:
everyone can access

That's not true. Everyone doesn't have access to it. Please see the reply from tanzimsiddiqee above. You need the maintenance permission to get access to this folder (so administrators can download a backup)
1 week ago
This is url of backup folder:
https://demo.nopcommerce.com/db_backups/index.htm

This is backup file structure:
database_2023-03-21-13-12-22_4297735156.bak

if you know backup files name, can we download that file?
https://demo.nopcommerce.com/db_backups/database_2023-03-21-13-12-22_4297735156.bak
1 week ago
suatsuphi wrote:
if you know backup files name, can we download that file?

No. Only administrators with the maintenance permission can do that.