4

In the case of shiny apps published on a private networks using Shiny Server: are the files in the project folder and subfolders (such as www and/or data) vulnerable to be accesible to an external user that has access to said private network, after the app has been deployed? Are said files accesible through a web browser, for instance?

I'm trying to convince the IT guys at the company that I work in to configure a shiny server, but the security of the files in the app has been an issue.

I have reviewed the answers given here, and also looked information online, but when you look for information about security on shiny apps, you get information about authentication solutions.

I'm not thinking about giving authentication, just trying to find out how safe are the files in the project's folder. Any documentation regarding this issue would be very much appreciated.

David Jorquera
  • 2,046
  • 12
  • 35
  • Tried on many published Shiny apps : /data & /www => Not Found on Server – Waldi Jun 19 '20 at 14:15
  • Should be security enough, particularly if there is a proxy in front such as `nginx` or `apache`, then you can configure it better and have better visibility. Also if there were some major vulnerabilities you would probably hear about them already – Pork Chop Jun 19 '20 at 14:26
  • 1
    Files under the app's `www/` subdirectory are accessible at the root path of the app server, `/`. No other files should be served unless the app has explicitly made them accessible (e.g., through `addResourcePath()`. See https://shiny.rstudio.com/reference/shiny/latest/resourcePaths.html. Also, I've never heard of a `data` folder being used. – greg L Jun 19 '20 at 17:08
  • @gregL so you are saying that files in the `www` folder are accesible. But when I enter on the url of the app plus `/name_of_the_resource` I get "Not Found" message. – David Jorquera Jun 19 '20 at 17:18
  • 1
    Can you reproduce that on your local machine, outside of Shiny Server and outside of the server hosting the app? (`www` file serving is a feature of the Shiny package) – greg L Jun 19 '20 at 17:23
  • Tried on local app and a shinyapps.io published app; the files in `www` are accesible. So, as I get from your comment, any other location for files in the project are safe? – David Jorquera Jun 19 '20 at 17:39
  • 2
    Yes, all other files are safe. The files in the `www/` subdirectory are the only ones that are published by default. – greg L Jun 19 '20 at 18:28

1 Answers1

0

If you are using Shiny server older than 1.5.16, you may be vulnerable to an exploit that exposes these files (at least in the default configuration), and should consider updating.

https://blog.rstudio.com/2021/01/13/shiny-server-1-5-16-update/

laxxy
  • 1,148
  • 8
  • 17