Block common hacker paths with 404 response

[Copilot]

Problem

Bots and hackers frequently probe web applications with common attack paths looking for vulnerabilities:

• /.env (environment variables)
• /wp-admin, /wp-login.php (WordPress installations)
• /phpmyadmin (database admin panels)
• /admin, /administrator (admin panels)
• Files with extensions like .php, .asp, .jsp (which Serlo doesn't use)

These requests were reaching the database through the alias query system in redirectToCurrentAlias, causing unnecessary database load despite Serlo not having any content at these paths.

Solution

Added an early check in the redirectToCurrentAlias function that returns a 404 response for common hacker paths before querying the database:

function isCommonHackerPath(path: string): boolean {
  const lowerPath = path.toLowerCase()
  
  // Block file-based attacks
  if (lowerPath.startsWith('/.env') || lowerPath.startsWith('/.git') || ...)
    return true
  
  // Block WordPress-related paths
  if (lowerPath.startsWith('/wp-admin') || lowerPath.startsWith('/wp-login') || ...)
    return true
  
  // Block CMS and admin panels
  if (lowerPath.startsWith('/phpmyadmin') || lowerPath.startsWith('/admin') || ...)
    return true
  
  // Block disallowed file extensions
  if (lowerPath.endsWith('.php') || lowerPath.endsWith('.asp') || ...)
    return true
  
  return false
}

The check is performed in redirectToCurrentAlias(), returning new Response('Not Found', { status: 404 }) immediately for blocked paths and preventing the database query.

Impact

✅ Reduces unnecessary database queries from bot/hacker probes
✅ Returns proper 404 HTTP status for invalid paths
✅ No impact on legitimate traffic - all existing tests pass
✅ Case-insensitive matching (blocks both /WP-ADMIN and /wp-admin)
✅ Comprehensive test coverage with 30 new tests
✅ Minimal code footprint (66 lines of production code)

Examples

Blocked paths (return 404, will NOT reach database):

• /.env → 404
• /wp-admin → 404
• /phpmyadmin → 404
• /test.php → 404
• /admin/login.asp → 404

Allowed paths (work normally):

• /23591/mathematics-homepage
• /mathe/1385/zahlen-und-größen
• /user/me
• All legitimate Serlo content paths

Fixes #797

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Avoid common hackers alias calls to reach the database</issue_title>
<issue_description>Everybody that has a webapp knows that some bots are out there try to get secrets through some paths, like /.env or wp/admin....

Of course, we are not that dumm and are protected from these attacks. But it reaches oft through our alias query the database, making so unnecessary calls to it. We could simply block such requests, that we know we won't never have as alias.

See serlo/api.serlo.org#1573 (comment)</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #797

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[kulla]

@copilot Rewrite so that a 404 is returned for those paths

[Copilot]

@copilot Rewrite so that a 404 is returned for those paths

Done. Modified the implementation to return new Response('Not Found', { status: 404 }) for hacker paths. The check was moved to redirectToCurrentAlias function to return the 404 response directly. All tests updated to expect 404 status. (commit 5b80761)