Is it safe to include full filesystem paths in files published on Github?

Question

Some of the configuration files I mean to publish as part of a Github project include full filesystem paths (including username login) in my localhost. Does this pose as a possible security vulnerability?

For example in a configuration file I may have

<script>window.MathJax || document.write('<script type="text/javascript" src="/home/myspecialusername/projects/MathJax/MathJax.js?config=TeX-AMS_HTML-full"><\/script>')</script>

(In this example the browser is instructed to use a local copy of MathJax if offline.)

why not use relative paths or shortcuts to things like `~` for home? — schroeder, Feb 13 '17 at 18:43
@schroeder Sure. But _why_ is this better from a security point of view? — user68297, Feb 13 '17 at 18:50
Because you expose the exact paths and usernames of your local machine. It's a small thing, but it represents a 'leakage'. — schroeder, Feb 13 '17 at 21:41

score 1 · Accepted Answer · answered Feb 13 '17 at 22:21

Full filesystem paths by themselves do not present an issue, but it's not best practice, for either security or general software development. As schroeder mentioned, you should use use relative paths. Exposing the full file path could make it easier to exploit other vulnerabilities, such as path traversal, direct object reference, or local file inclusion. As far as general software design principles, using absolute file paths like that makes your solution extremely brittle and potentially difficult to deploy to multiple servers/environments.

On the flip-side, I would ask yourself if there is any reason why using absolute file paths is preferable to the relative ones. The only time where that might be the case is when you're referencing a CDN hosted file.

Is it safe to include full filesystem paths in files published on Github?

1 Answers1