Symfony version(s) affected

6.4,7.0,7.1

Description

Any hidden / dotfile in the assets directory is deployed and publically accessible.

Assets files are versionned via a prefix inserted before the file extension.

The servers standard protection against dotfile access cannot work, as the mapped files are not "dotfiles" anymore.

your-project/
├─ assets/
│  ├─ .DS_Store 
│  ├─ .cert
│  └─ ... 

your-project/
├─ public/
│  ├─ assets/
│  │   ├─ -XXXXX.DS_Store
│  │  └─ -YYYYY.cert

How to reproduce

symfony new asset-mapper-dot-files --webapp --version="next" \
	&& cd asset-mapper-dot-files \
	&& composer req symfony/asset-mapper \
	&& touch assets/.FOO \
	&& APP_ENV=prod php bin/console asset-map:compile 
	
ls -la public/assets	

Possible Solution

Exclude patterns

This behaviour can be prevented with a specific config directive

# config/asset_mapper.yaml
framework:
    asset_mapper:
        # The paths to make available to the asset mapper.
        paths:
            - assets/

        excluded_patterns:
            - '*/.*'

As of today this is neither documented or "default behaviour".

That could be a first move, but this is something risky, as the pattern is not self-explanatory

Fix asset collection

Another way would be to modify the assets collection (in the Repository) to ignore dotfiles

..

What do you think ?