Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Don't let path.normalize get above the root.

Any path.join or path.normalize that starts with a / will not go "above" that after normalization.  This is important because /../foo is almost *always* some sort of error, and doesn't match the corollary in sh: `cd $p; pwd`

At the worse, this can be a vector for exploits, since a static file server might do path.join(docroot, path.normalize("/"+req)) to get the file.  If the normalized request path could be something like "/../../../etc/passwd" then bad things could happen.
  • Loading branch information...
commit 65037eeb320f33b955923ff664f46b265e7bbccb 1 parent dc8c079
@isaacs isaacs authored ry committed
Showing with 6 additions and 0 deletions.
  1. +4 −0 lib/path.js
  2. +2 −0  test/simple/test-path.js
View
4 lib/path.js
@@ -14,6 +14,10 @@ exports.normalizeArray = function (parts, keepBlanks) {
// if it's a dot, and there was some previous dir already, then skip it.
if (directory === "." && prev !== undefined) continue;
+ // if it starts with "", and is a . or .., then skip it.
+ if (directories.length === 1 && directories[0] === "" && (
+ directory === "." || directory === "..")) continue;
+
if (
directory === ".."
&& directories.length
View
2  test/simple/test-path.js
@@ -38,9 +38,11 @@ assert.equal(path.extname("file.ext.ext"), ".ext");
assert.equal(path.extname("file."), ".");
assert.equal(path.join(".", "fixtures/b", "..", "/b/c.js"), "fixtures/b/c.js");
+assert.equal(path.join("/foo", "../../../bar"), "/bar");
assert.equal(path.normalize("./fixtures///b/../b/c.js"), "fixtures/b/c.js");
assert.equal(path.normalize("./fixtures///b/../b/c.js",true), "fixtures///b/c.js");
+assert.equal(path.normalize("/foo/../../../bar"), "/bar");
assert.deepEqual(path.normalizeArray(["fixtures","b","","..","b","c.js"]), ["fixtures","b","c.js"]);
assert.deepEqual(path.normalizeArray(["fixtures","","b","..","b","c.js"], true), ["fixtures","","b","c.js"]);
Please sign in to comment.
Something went wrong with that request. Please try again.