Fix Shadow API Exposure in Sails

Sails.js 'Shadow Routes' are a classic case of convenience killing security. By default, the Blueprints hook maps CRUD operations directly to your models without requiring a single line of controller code. To an attacker, this is a buffet of unauthenticated endpoints and mass-assignment sinks. If you haven't explicitly nuked these blueprints, you're likely leaking PII or allowing unauthorized state changes via hidden /create or /update routes.

The Vulnerable Pattern

// config/blueprints.js
module.exports.blueprints = {
  actions: true,
  rest: true,
  shortcuts: true
};
// api/models/User.js
// Simply defining this model automatically exposes:
// POST /user (Create)
// GET /user/:id (Read)
// PATCH /user/:id (Update)
// DELETE /user/:id (Delete)
module.exports = {
attributes: {
email: { type: ‘string’, required: true },
password: { type: ‘string’, required: true },
isAdmin: { type: ‘boolean’, defaultsTo: false }
}
};

The Secure Implementation

The fix is tactical: disable the 'magic'. By setting 'actions', 'rest', and 'shortcuts' to false in 'config/blueprints.js', you prevent Sails from automatically generating routes for your models. This enforces a 'Deny-by-Default' posture. Once the blueprints are disabled, you must manually map every intended endpoint in 'config/routes.js' to a specific controller action. This ensures that only the code you have audited and secured is reachable by external requests, effectively closing the shadow API surface.

// config/blueprints.js
module.exports.blueprints = {
  // 1. Kill the shadow routes globally
  actions: false,
  rest: false,
  shortcuts: false
};
// config/routes.js
// 2. Implement an explicit ‘Allow-List’ for your API surface
module.exports.routes = {
‘POST /api/v1/auth/signup’: ‘UserController.signup’,
‘GET /api/v1/me’: ‘UserController.profile’
};