Fix Improper Assets Management in Hanami

Improper Assets Management in Hanami occurs when internal project structures, sensitive configuration files, or uncompiled source code are exposed via the asset pipeline. Attackers leverage misconfigured source paths to perform directory traversal or locate sensitive files like .env or database.yml that were accidentally indexed by the asset server.

The Vulnerable Pattern

module CoffeeShop
  class App < Hanami::App
    config.assets.sources = [
      'app/assets',
      '.' # FATAL ERROR: Including project root exposes sensitive files
    ]
    # Serving static files in production without a dedicated web server
    config.assets.serve_static = true
  end
end

The Secure Implementation

The vulnerability is mitigated by strictly defining asset source directories. By removing '.' from the sources array, you prevent the asset pipeline from mapping the entire project root to the public web. Enabling 'fingerprint' ensures that assets are served with unique hashes, preventing cache poisoning. Setting 'compile = false' in production ensures the application only serves files explicitly defined in the manifest.json, blocking attackers from requesting arbitrary files that haven't been pre-approved for public distribution.

module CoffeeShop
  class App < Hanami::App
    config.assets.sources = [
      'app/assets',
      'vendor/assets'
    ]
# Enforce fingerprinting for cache busting and integrity
config.assets.fingerprint = true

# Disable live compilation in production; use precompiled assets only
if Hanami.env?(:production)
  config.assets.compile = false
  config.assets.manifest = 'public/assets/manifest.json'
end
end
end