How to fix Improper Assets Management
in Vapor (Swift)
Executive Summary
Improper Asset Management in Vapor frameworks typically involves exposing sensitive internal files, environment configurations, or debug-only assets to the public web. This often stems from misconfiguring FileMiddleware to point at the project root instead of a dedicated public directory, or failing to filter out sensitive file extensions like .env, .sql, or .swift source files. In a production environment, this is a goldmine for reconnaissance and credential harvesting.
The Vulnerable Pattern
import Vaporfunc routes(_ app: Application) throws { // VULNERABLE: Serving the entire working directory allows attackers to download .env, Package.swift, and source code let fileMiddleware = FileMiddleware(publicDirectory: app.directory.workingDirectory) app.middleware.use(fileMiddleware)
app.get("debug-info") { req -> String in // VULNERABLE: Exposing internal system paths and environment variables return "Path: \(app.directory.workingDirectory) | Env: \(Environment.get(\"DATABASE_URL\") ?? \"none\")" }
}
The Secure Implementation
To fix asset management flaws: 1. Strict Scoping: Never use 'workingDirectory' for FileMiddleware; explicitly use 'publicDirectory'. 2. Extension Filtering: Implement a custom Middleware to intercept and drop requests for sensitive file types (.env, .git, .sh). 3. Environment Segregation: Use 'app.environment' checks to ensure that diagnostic routes or internal documentation assets are never registered in production builds. 4. Minimalist Containerization: Ensure your Dockerfile only copies the compiled binary and the 'Public' folder, leaving source code and build artifacts out of the production image.
import Vaporfunc routes(_ app: Application) throws { // SECURE: Only serve files from a dedicated ‘Public’ folder let publicDir = app.directory.publicDirectory let fileMiddleware = FileMiddleware(publicDirectory: publicDir) app.middleware.use(fileMiddleware)
// SECURE: Implement a guard middleware to block access to sensitive file patterns struct AssetGuardMiddleware: Middleware { func respond(to request: Request, chainingTo next: Responder) -> EventLoopFuture<Response> { let path = request.url.path.lowercased() let blacklistedExtensions = [".env", ".swift", ".sql", ".git", ".yml"] if blacklistedExtensions.contains(where: { path.hasSuffix($0) }) { return request.eventLoop.makeFailedFuture(Abort(.forbidden)) } return next.respond(to: request) } } app.middleware.use(AssetGuardMiddleware()) // SECURE: Restrict debug routes to non-production environments only if app.environment != .production { app.get("debug-info") { req in "Debug Mode Active" } }
}
Your Vapor (Swift) API
might be exposed to Improper Assets Management
74% of Vapor (Swift) apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.