return 403 on symlink when deny-symlinks flag set. #646 #659

sintaxi · Jun 7, 2021 · 426d68a · 426d68a
1 parent 5b6af45
commit 426d68a
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 28 deletions.
diff --git a/lib/index.js b/lib/index.js
@@ -25,10 +25,9 @@ exports.server = function(dirPath, options){
   app.use(middleware.basicAuth)
   app.use(middleware.underscore)
   app.use(middleware.mwl)
+  app.use(middleware.denySymlink(options))
   app.use(middleware.static)
   app.use(middleware.poly)
-  app.use(middleware.setupPaths)
-  app.use(middleware.denySymlink(options))
   app.use(middleware.process)
   app.use(middleware.fallback2)
   return app

diff --git a/lib/middleware.js b/lib/middleware.js
@@ -567,14 +567,6 @@ var poly = exports.poly = function(req, rsp, next){
 }
 
 
-exports.setupPaths = function(req, rsp, next){
-  req.normalizedPath  = helpers.normalizeUrl(req.url)
-  req.priorityList    = terraform.helpers.buildPriorityList(req.normalizedPath)
-  req.sourceFile      = terraform.helpers.findFirstFile(req.setup.publicPath, req.priorityList)
-  return next()
-}
-
-
 /**
  * Deny Symlink
  */
@@ -583,28 +575,16 @@ exports.denySymlink = function(options){
   options = options || {}
 
   return function(req, rsp, next){
-    if (!req.sourceFile)                            return next()
     if (!options.hasOwnProperty("deny-symlinks")) return next()
-    if (!options["deny-symlinks"] === false)      return next()
-
-    req.sourceFilePath = path.join(req.setup.publicPath, req.sourceFile)
-    fs.lstat(req.sourceFilePath, function(err, stats) {
+    if (options["deny-symlinks"] === false) return next()
+    var sourceFilePath = path.join(req.setup.publicPath, helpers.normalizeUrl(req.url))
+    fs.lstat(sourceFilePath, function(err, stats) {
       if (!stats.isSymbolicLink()) return next()
-      if (stats.isSymbolicLink()) {
-        fs.readlink(req.sourceFile, function (err, symlinkTo) {
-          // forbidding access if the symlink points to a file outside of the project's base directory to prevent path traversal
-          var projectPath = path.dirname(require.main.filename) // full path of the project's main file
-          var symlinkPath = path.dirname(symlinkTo)             // full path of the symlink
-          if (projectPath !== symlinkPath) {
-            var body = "403 Forbidden"
-            rsp.statusCode = 403
-            rsp.end(body)
-          }
-        })
-      }
+      var body = "403 Forbidden"
+      rsp.statusCode = 403
+      rsp.end(body)
     })
   }
-
 }