Fix Improper Assets Management in ElysiaJS

Improper Assets Management in ElysiaJS environments typically manifests as Path Traversal or sensitive data exposure via the static file plugin. When developers map the static middleware to the project root or fail to sanitize asset paths, they inadvertently leak .env files, source code, and build artifacts. In a Bun-based ecosystem, this is a high-speed lane to full credential compromise.

The Vulnerable Pattern

import { Elysia } from 'elysia';
import { staticPlugin } from '@elysiajs/static';
const app = new Elysia()
// FATAL: Mapping to current directory allows access to .env, package.json, and node_modules
.use(staticPlugin({
assets: ’./’,
prefix: ‘/assets’
}))
.listen(3000);

The Secure Implementation

The vulnerability occurs because the staticPlugin serves any file within the 'assets' directory. By setting it to './', the entire project structure is exposed. The fix involves three layers of defense: 1. Directory Isolation: Move all public images/CSS to a specific 'public' folder that contains zero secrets. 2. Path Restriction: Use the 'prefix' option to ensure assets are only served under a specific URI. 3. Pattern Filtering: Use 'ignorePatterns' to explicitly block sensitive files like .env or configuration files even if they are accidentally moved into the public directory.

import { Elysia } from 'elysia';
import { staticPlugin } from '@elysiajs/static';
const app = new Elysia()
// SECURE: Isolate static assets to a dedicated, non-sensitive subdirectory
.use(staticPlugin({
assets: ‘public’,
prefix: ‘/static’,
alwaysStatic: true, // Bypasses dynamic path resolution overhead
ignorePatterns: [/.env/, /.git/]
}))
.listen(3000);