Fix path traversal vulnerability #233
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ryan-ally
approved these changes
Jun 7, 2022
Add individual routes for each tutorial page instead of using a single parameterized route. The parameterized route allowed the user to pass unexpected :page values. Relative paths could be specified to access arbitrary files with extension ".html". Specifying any other extension would cause express to dynamically require the module with the matching name. This allowed loading of locally or globally installed modules, and also permitted dependency enumeration.
rcowsill
force-pushed
the
fix/path-traversal
branch
from
8f6803b
to
69e3d0d
Compare
|
Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The first commit moves the tutorial routes out of
routes/index.jsand into a separate router. This is to avoid cluttering the top-level route setup with the tutorial routing code. The tutorial is effectively a microsite alongside the main application, so it seems reasonable to split it out like this.The second commit replaces the
/tutorial/:pageroute with individual routes for each page.Currently the set of allowed pages is just listed explicitly. I considered generating the page list from the filesystem or using HenrikJoreteg/semi-static, but that would require moving the templates around to avoid serving the layout template.
Fixes #232