Follow symlinks on target file path as well as user/config paths

signalapp · Sep 20, 2018 · 48d937b · 48d937b
1 parent 3464eb6
commit 48d937b
Showing 1 changed file with 12 additions and 5 deletions.
diff --git a/app/protocol_filter.js b/app/protocol_filter.js
@@ -1,4 +1,5 @@
 const path = require('path');
+const fs = require('fs');
 
 function _eliminateAllAfterCharacter(string, character) {
   const index = string.indexOf(character);
@@ -24,21 +25,27 @@ function _createFileHandler({ userDataPath, installPath, isWindows }) {
   return (request, callback) => {
     // normalize() is primarily useful here for switching / to \ on windows
     const target = path.normalize(_urlToPath(request.url, { isWindows }));
+    const realPath = fs.existsSync(target) ? fs.realpathSync(target) : target;
 
-    if (!path.isAbsolute(target)) {
-      console.log(`Warning: denying request to non-absolute path '${target}'`);
+    if (!path.isAbsolute(realPath)) {
+      console.log(
+        `Warning: denying request to non-absolute path '${realPath}'`
+      );
       return callback();
     }
 
-    if (!target.startsWith(userDataPath) && !target.startsWith(installPath)) {
+    if (
+      !realPath.startsWith(userDataPath) &&
+      !realPath.startsWith(installPath)
+    ) {
       console.log(
-        `Warning: denying request to path '${target}' (userDataPath: '${userDataPath}', installPath: '${installPath}')`
+        `Warning: denying request to path '${realPath}' (userDataPath: '${userDataPath}', installPath: '${installPath}')`
       );
       return callback();
     }
 
     return callback({
-      path: target,
+      path: realPath,
     });
   };
 }