Do not serve hidden files or files in hidden folders

src/Routing/Middleware/AssetMiddleware.php

@@ -88,6 +88,10 @@ class AssetMiddleware
             return $next($request, $response);
         }
 
+        if (strpos($url, '/.') !== false) {
+            return $next($request, $response);
+        }
+
         $assetFile = $this->_getAssetFile($url);
         if ($assetFile === null || !file_exists($assetFile)) {
             return $next($request, $response);

tests/TestCase/Routing/Middleware/AssetMiddlewareTest.php

@@ -232,4 +232,40 @@ class AssetMiddlewareTest extends TestCase
         $res = $middleware($request, $response, $next);
         $this->assertEmpty($res->getBody()->getContents());
     }
+
+    /**
+     * Test that hidden filenames result in a 404
+     *
+     * @return void
+     */
+    public function test404OnHiddenFile()
+    {
+        $request = ServerRequestFactory::fromGlobals(['REQUEST_URI' => '/test_plugin/.hiddenfile']);
+        $response = new Response();
+        $next = function ($req, $res) {
+            return $res;
+        };
+
+        $middleware = new AssetMiddleware();
+        $res = $middleware($request, $response, $next);
+        $this->assertEmpty($res->getBody()->getContents());
+    }
+
+    /**
+     * Test that hidden filenames result in a 404
+     *
+     * @return void
+     */
+    public function test404OnHiddenFolder()
+    {
+        $request = ServerRequestFactory::fromGlobals(['REQUEST_URI' => '/test_plugin/.hiddenfolder/some.js']);
+        $response = new Response();
+        $next = function ($req, $res) {
+            return $res;
+        };
+
+        $middleware = new AssetMiddleware();
+        $res = $middleware($request, $response, $next);
+        $this->assertEmpty($res->getBody()->getContents());
+    }
 }

tests/test_app/Plugin/TestPlugin/webroot/.hiddenfile

@@ -0,0 +1 @@
+some content

tests/test_app/Plugin/TestPlugin/webroot/.hiddenfolder/some.js

@@ -0,0 +1 @@
+var content = 'some';