HTMX Security #166

nkavian · 2025-02-26T03:29:12Z

nkavian
Feb 26, 2025

I recently came across htmx.js and was impressed to use it in my new project. In researching it, I came across this library for Spring Boot and added it with the hopes that I would use it later.

Since then, I see for several weeks logging that shows some external actor is trying to probe for files. I usually log unhandled exceptions so I can see if users are having trouble. So I suspect most people don't know about the HTMX probing.

Question 1: When adding this library, what does it by default enable or turn on? Is it solely what's defined in HtmxMvcAutoConfiguration or is there more?

Question 2: Are there configuration settings that I need to look at or be aware of? I didn't see anything explicitly in the README.

Question 3: Does this library have functionality to read arbitrary files from the file system or class path? Seems like the probers do think that.

It's also plausible that there could be some other HTMX library out in the wild that has vulnerabilities and these probes are just mindlessly running against my system.

Thanks.

2025-02-26T02:56:39.011Z  WARN 37381 --- [io-9000-exec-10] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource 3-sequelize/final/.env.]
2025-02-26T02:57:09.623Z  WARN 37381 --- [nio-9000-exec-1] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource 31_structure_tests/.env.]
2025-02-26T02:57:40.150Z  WARN 37381 --- [nio-9000-exec-2] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource acme_challenges/.env.]
2025-02-26T02:58:10.876Z  WARN 37381 --- [nio-9000-exec-6] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource acme-challenge/.env.]
2025-02-26T02:58:41.418Z  WARN 37381 --- [nio-9000-exec-7] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource acme/.env.]
2025-02-26T02:59:11.951Z  WARN 37381 --- [nio-9000-exec-5] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource actions-server/.env.]
2025-02-26T02:59:42.437Z  WARN 37381 --- [nio-9000-exec-3] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource admin-app/.env.]
2025-02-26T03:00:13.007Z  WARN 37381 --- [nio-9000-exec-4] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource admin/.env.]
2025-02-26T03:00:43.588Z  WARN 37381 --- [nio-9000-exec-8] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource adminer/.env.]
2025-02-26T03:01:14.204Z  WARN 37381 --- [nio-9000-exec-9] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource administrator/.env.]
2025-02-26T03:01:39.697Z  WARN 37381 --- [io-9000-exec-10] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource alpha/.env.]
2025-02-26T03:02:10.474Z  WARN 37381 --- [nio-9000-exec-1] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource anaconda/..env.]
2025-02-26T03:02:41.404Z  WARN 37381 --- [nio-9000-exec-2] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource api/.env.]
2025-02-26T03:03:11.929Z  WARN 37381 --- [nio-9000-exec-6] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource phpinfo.]
2025-02-26T03:03:42.462Z  WARN 37381 --- [nio-9000-exec-7] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource api/src/.env.]
2025-02-26T03:04:13.132Z  WARN 37381 --- [nio-9000-exec-3] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource app_dir/.env.]
2025-02-26T03:04:43.856Z  WARN 37381 --- [nio-9000-exec-4] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource app_nginx_static_path/.env.]
2025-02-26T03:05:14.371Z  WARN 37381 --- [nio-9000-exec-8] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource app-order-client/.env.]
2025-02-26T03:05:44.988Z  WARN 37381 --- [nio-9000-exec-9] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource app/.env.]
2025-02-26T03:06:15.510Z  WARN 37381 --- [io-9000-exec-10] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource app/client/.env.]
2025-02-26T03:06:46.013Z  WARN 37381 --- [nio-9000-exec-1] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource app/config/.env.]
2025-02-26T03:07:16.475Z  WARN 37381 --- [nio-9000-exec-2] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource wp-config.php.]
2025-02-26T03:07:47.256Z  WARN 37381 --- [nio-9000-exec-6] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource app/config/dev/.env.]
2025-02-26T03:08:17.772Z  WARN 37381 --- [nio-9000-exec-7] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource app/frontend/.env.]
2025-02-26T03:08:48.594Z  WARN 37381 --- [nio-9000-exec-5] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource app1-static/.env.]
2025-02-26T03:09:19.315Z  WARN 37381 --- [nio-9000-exec-3] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource app2-static/.env.]
2025-02-26T03:09:49.828Z  WARN 37381 --- [nio-9000-exec-4] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource apps/.env.]
2025-02-26T03:10:20.207Z  WARN 37381 --- [nio-9000-exec-8] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource apps/client/.env.]
2025-02-26T03:10:50.862Z  WARN 37381 --- [nio-9000-exec-9] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource Archipel/.env.]
2025-02-26T03:11:21.377Z  WARN 37381 --- [io-9000-exec-10] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource asset_img/.env.]
2025-02-26T03:11:51.738Z  WARN 37381 --- [nio-9000-exec-1] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource assets/.env.]
2025-02-26T03:12:22.183Z  WARN 37381 --- [nio-9000-exec-2] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource Assignment3/.env.]
2025-02-26T03:12:52.667Z  WARN 37381 --- [nio-9000-exec-6] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource Assignment4/.env.]
2025-02-26T03:13:23.439Z  WARN 37381 --- [nio-9000-exec-7] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource audio/.env.]
2025-02-26T03:13:54.062Z  WARN 37381 --- [nio-9000-exec-5] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource awstats/.env.]
2025-02-26T03:14:24.471Z  WARN 37381 --- [nio-9000-exec-3] .m.HtmxExceptionHandlerExceptionResolver : Resolved [org.springframework.web.servlet.resource.NoResourceFoundException: No static resource back-end/app/.env.]

Answered by checketts

Feb 26, 2025

The files listed are common node and PHP files where passwords might be stored. They don't have anything to do with HTMX aside from the HtmxExceptionResolver logging the thrown exception (since it extends the AbstractHandlerExceptionResolver). That NoResourceFoundException is a Spring exception and is leveraging the static config.

So

Q1: Yes, just the auto config
Q2: No explicit HTMX properties (Though there are Thymeleaf, etc properties you would need to consider separtely)
Q3: No. This library only helps with HTMX request/response/views

View full answer

checketts · 2025-02-26T05:10:40Z

checketts
Feb 26, 2025
Collaborator

The files listed are common node and PHP files where passwords might be stored. They don't have anything to do with HTMX aside from the HtmxExceptionResolver logging the thrown exception (since it extends the AbstractHandlerExceptionResolver). That NoResourceFoundException is a Spring exception and is leveraging the static config.

So

Q1: Yes, just the auto config
Q2: No explicit HTMX properties (Though there are Thymeleaf, etc properties you would need to consider separtely)
Q3: No. This library only helps with HTMX request/response/views

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

HTMX Security #166

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

HTMX Security #166

Uh oh!

nkavian Feb 26, 2025

Replies: 1 comment

Uh oh!

checketts Feb 26, 2025 Collaborator

nkavian
Feb 26, 2025

checketts
Feb 26, 2025
Collaborator