Block composer.json|lock anywhere in the path

Co-authored-by: Toby Bellwood <[email protected]>
uselagoon · Sep 18, 2023 · 2a02bcb · 2a02bcb
1 parent 08e6f0f
commit 2a02bcb
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/images/nginx-drupal/drupal.conf b/images/nginx-drupal/drupal.conf
@@ -36,7 +36,7 @@ server {
     ## Replicate the Apache <FilesMatch> directive of Drupal standard
     ## .htaccess. Disable access to any code files. Return a 404 to curtail
     ## information disclosure.
-    location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.*sql\.gz|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^\/(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package(-lock)?\.json)$|^\/#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
+    location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.*sql\.gz|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^\/(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(composer\.(json|lock)|web\.config|yarn\.lock|package(-lock)?\.json)$|^\/#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
       deny all;
       access_log off;
       log_not_found off;