Summary

Solid pods currently serve dotfiles and dot-directories (e.g., .git/, .env) publicly. This is a security vulnerability - standard web server practice is to block access to these paths.

Reproduction

1. Initialize a git repo in a public pod directory:

   cd /path/to/pod/public/folder
   git init
   git add . && git commit -m "Initial commit"

2. Access the git config via HTTP:

   GET https://example.solid.social/public/folder/.git/config
   

3. Result: Git config is exposed:

   [core]
       repositoryformatversion = 0
       filemode = true
       bare = false
       logallrefupdates = true
   

Impact

An attacker could:

• Reconstruct full repository history via .git/objects/
• Access sensitive data from old commits
• Read .git/logs/ for activity patterns
• Find credentials if .env files exist

Expected Behavior

Requests to paths matching dotfile patterns should return 403 Forbidden:

• /.git/
• /.env
• /.htaccess
• /.DS_Store
• Any path segment starting with .

Suggested Implementation

// Middleware to block dotfile access
function blockDotfiles(req, res, next) {
  const segments = req.path.split('/');
  const hasDotfile = segments.some(seg => seg.startsWith('.') && seg.length > 1);

  if (hasDotfile) {
    return res.status(403).send('Forbidden: Dotfile access blocked');
  }
  next();
}

Configuration Option

Consider a config flag for users who explicitly want dotfile access:

{
  "blockDotfiles": true  // default: true
}

References

• Apache: RedirectMatch 403 /\.
• Nginx: location ~ /\. { deny all; }
• Express: Various dotfile-blocking middleware

Priority

High - This is a security vulnerability with immediate exploit potential on any pod with version control.