fix filename xss

jarofghosts · Jul 18, 2020 · cdc68bb · cdc68bb
1 parent 06dcd54
commit cdc68bb
Show file tree

Hide file tree

Showing 8 changed files with 147 additions and 74 deletions.
diff --git a/bin/glance.js b/bin/glance.js
@@ -25,7 +25,7 @@ var noptions = {
   port: Number,
   verbose: Boolean,
   help: Boolean,
-  version: Boolean
+  version: Boolean,
 }
 
 var shorts = {
@@ -36,7 +36,7 @@ var shorts = {
   p: ['--port'],
   v: ['--verbose'],
   h: ['--help'],
-  V: ['--version']
+  V: ['--version'],
 }
 
 var glanceVersion = require('../package.json').version

diff --git a/index.js b/index.js
@@ -35,13 +35,13 @@ Glance.prototype = Object.create(EE.prototype)
 Glance.prototype.start = function Glance$start() {
   var self = this
 
-  self.server = http.createServer(function(req, res) {
+  self.server = http.createServer(function (req, res) {
     self.serveRequest(req, res)
   })
 
   self.server.listen(self.port, emitStarted)
 
-  self.server.addListener('connection', function(con) {
+  self.server.addListener('connection', function (con) {
     con.setTimeout(500)
   })
 
@@ -82,7 +82,7 @@ Glance.prototype.serveRequest = function Glance$serveRequest(req, res) {
 
   if (
     self.nodot &&
-    request.fullPath.split(path.sep).some(function(dir) {
+    request.fullPath.split(path.sep).some(function (dir) {
       return dir.startsWith('.')
     })
   ) {
@@ -139,13 +139,21 @@ Glance.prototype.serveRequest = function Glance$serveRequest(req, res) {
 
       var listingHtml = '<h3>Directory Listing</h3>'
 
-      var listing = htmlls(listPath, {hideDot: self.nodot})
+      var listing = htmlls(listPath, {
+        hideDot: self.nodot,
+        transformHref: function (str) {
+          return encodeURI(str)
+        },
+        transformLinkText: function (str) {
+          return str.replace(/\</g, '&lt;').replace(/\>/g, '&gt;')
+        },
+      })
 
-      listing.on('data', function(buf) {
+      listing.on('data', function (buf) {
         listingHtml += buf.toString()
       })
 
-      listing.on('end', function() {
+      listing.on('end', function () {
         renderPage('Directory Listing', listingHtml, res)
       })
 
@@ -163,11 +171,11 @@ function showError(errorCode, req, res) {
     path.join(__dirname, 'errors', errorCode + '.html')
   )
 
-  errorPage.on('data', function(buf) {
+  errorPage.on('data', function (buf) {
     errorHtml += buf.toString()
   })
 
-  errorPage.on('end', function() {
+  errorPage.on('end', function () {
     var title = errorTitle(errorCode)
     renderPage(title, errorHtml, res)
   })
@@ -188,7 +196,7 @@ function errorTitle(errorCode) {
     '404': 'File Not Found',
     '403': 'Forbidden',
     '405': 'Method Not Allowed',
-    '500': 'Internal Server Error'
+    '500': 'Internal Server Error',
   }
   return mappings[errorCode.toString()]
 }

diff --git a/lib/config.js b/lib/config.js
@@ -4,5 +4,5 @@ module.exports = {
   indices: ['index.html', 'index.htm'],
   dir: process.cwd(),
   verbose: false,
-  nodot: false
+  nodot: false,
 }
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -29,7 +29,7 @@
   "dependencies": {
     "bash-color": "0.0.3",
     "filed": "0.1.0",
-    "html-ls": "1.0.0",
+    "html-ls": "2.1.0",
     "mime": "1.4.1",
     "nopt": "3.0.4",
     "stream-replace": "1.0.0",

diff --git a/test/glance-test/test1/<img src=x onerror=alert(1)> b/test/glance-test/test1/<img src=x onerror=alert(1)>