Remove password options from `serve` unlock (#5601)

These options are no longer considered safe as the file location or environment variable could be guessed by an attacker.
3 years ago · a2b290a31e
1 changed files with 4 additions and 0 deletions
--- a/apps/cli/src/commands/serve.command.ts
+++ b/apps/cli/src/commands/serve.command.ts
@ -245,6 +245,10 @@ export class ServeCommand {
				@@ -245,6 +245,10 @@ export class ServeCommand {
    });

    router.post("/unlock", async (ctx, next) => {
+      // Do not allow guessing password location through serve command
+      delete ctx.request.query.passwordFile;
+      delete ctx.request.query.passwordEnv;
+
      const response = await this.unlockCommand.run(
        ctx.request.body.password == null ? null : (ctx.request.body.password as string),
        ctx.request.query