marketing-shibata50/9router
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(security)(app): unauthenticated server shutdown endpoint enables d (#519)

Browse source 
The shutdown API calls `process.exit(0)` on POST without any authentication or authorization checks. Any party that can reach this endpoint can terminate the server process, causing immediate service disruption.

Affected files: route.js

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
This commit is contained in:
tuanaiseo 2026-04-08 15:39:09 +07:00 committed by GitHub
parent 23abe1a7bb
commit 1f3d3a8f7f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 12 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/app/api/shutdown/route.js
View file

@ -1,6 +1,18 @@
import { NextResponse } from "next/server";
import { headers } from "next/headers";
export async function POST() {
if (process.env.NODE_ENV === "production") {
return NextResponse.json({ success: false, message: "Not allowed in production" }, { status: 403 });
}
const secret = process.env.SHUTDOWN_SECRET;
const authorization = headers().get("authorization");
if (!secret || authorization !== `Bearer ${secret}`) {
return NextResponse.json({ success: false, message: "Unauthorized" }, { status: 401 });
}
const response = NextResponse.json({ success: true, message: "Shutting down..." });
setTimeout(() => {