←back to thread

Denial of service and source code exposure in React Server Components

(react.dev)
298 points sangeeth96 | 5 comments | 11 Dec 25 20:46 UTC | HN request time: 0.427s | source
Show context
simonw ◴[11 Dec 25 21:59 UTC] No.46237795[source]
React Server Components always felt uncomfortable to me because they make it hard to look at a piece of JavaScript code and derive which parts of it are going to run on the client and which parts will run on the server.

It turns out this introduces another problem too: in order to get that to work you need to implement some kind of DEEP serialization RPC mechanism - which is kind of opaque to the developer and, as we've recently seen, is a risky spot in terms of potential security vulnerabilities.

replies(10): >>46237967 #>>46238102 #>>46238147 #>>46239075 #>>46240339 #>>46240602 #>>46240620 #>>46240996 #>>46241208 #>>46242116 #
1. TZubiri ◴[11 Dec 25 23:56 UTC] No.46239075[source]
I had this issue with a React app I inherited, there was a .env with credentials, and I couldn't figure out whether it was being read from the frontend or the backend.

So I ran a static analysis (grep) on the apk generated and

points light at face dramatically

the credentials were inside the frontend!

replies(1): >>46239668 #
2. jaredwiener ◴[12 Dec 25 01:05 UTC] No.46239668[source]
Why would you have anything for the backend in an APK? Wouldnt that be an app, that by definition runs on the client?

Most frameworks also by default block ALL environment variables on the client side unless the name is preceded by something specific, like NEXT_PUBLIC_*

replies(3): >>46240216 #>>46240354 #>>46241015 #
3. ◴[12 Dec 25 02:29 UTC] No.46240216[source]
4. mcpeepants ◴[12 Dec 25 02:54 UTC] No.46240354[source]
> Most frameworks also by default block ALL environment variables on the client side

I’ve been out of full stack dev for ~5 years now, and this statement is breaking my brain

5. TZubiri ◴[12 Dec 25 04:59 UTC] No.46241015[source]
Why would you have anything for the backend in a browser app? Wouldn't that by definition run on the client?

These kind of node + Mobile apps typically use an embedded browser like electron or a builtin browser, it's not much different than a web app.