From 2a02bcb07fd9892f7f4fe31b71e078c430b3e234 Mon Sep 17 00:00:00 2001
From: Sean Hamlin <sean.hamlin@amazee.io>
Date: Mon, 18 Sep 2023 21:27:54 +1200
Subject: [PATCH] Block composer.json|lock anywhere in the path

Co-authored-by: Toby Bellwood <toby.bellwood@amazee.io>
---
 images/nginx-drupal/drupal.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/nginx-drupal/drupal.conf b/images/nginx-drupal/drupal.conf
index e453f6d4e..0a485faf4 100644
--- a/images/nginx-drupal/drupal.conf
+++ b/images/nginx-drupal/drupal.conf
@@ -36,7 +36,7 @@ server {
     ## Replicate the Apache <FilesMatch> directive of Drupal standard
     ## .htaccess. Disable access to any code files. Return a 404 to curtail
     ## information disclosure.
-    location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.*sql\.gz|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^\/(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package(-lock)?\.json)$|^\/#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
+    location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|.*sql\.gz|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^\/(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(composer\.(json|lock)|web\.config|yarn\.lock|package(-lock)?\.json)$|^\/#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
       deny all;
       access_log off;
       log_not_found off;