From 426d68ac71ba90451693ad7db8c50e44c1276f86 Mon Sep 17 00:00:00 2001
From: Brock Whitten <brock@sintaxi.com>
Date: Mon, 7 Jun 2021 02:38:25 -0700
Subject: [PATCH] return 403 on symlink when deny-symlinks flag set. #646 #659

---
 lib/index.js      |  3 +--
 lib/middleware.js | 32 ++++++--------------------------
 2 files changed, 7 insertions(+), 28 deletions(-)

diff --git a/lib/index.js b/lib/index.js
index e3b07d0..f105ec8 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -25,10 +25,9 @@ exports.server = function(dirPath, options){
   app.use(middleware.basicAuth)
   app.use(middleware.underscore)
   app.use(middleware.mwl)
+  app.use(middleware.denySymlink(options))
   app.use(middleware.static)
   app.use(middleware.poly)
-  app.use(middleware.setupPaths)
-  app.use(middleware.denySymlink(options))
   app.use(middleware.process)
   app.use(middleware.fallback2)
   return app
diff --git a/lib/middleware.js b/lib/middleware.js
index c35a01c..2a88d56 100644
--- a/lib/middleware.js
+++ b/lib/middleware.js
@@ -567,14 +567,6 @@ var poly = exports.poly = function(req, rsp, next){
 }
 
 
-exports.setupPaths = function(req, rsp, next){
-  req.normalizedPath  = helpers.normalizeUrl(req.url)
-  req.priorityList    = terraform.helpers.buildPriorityList(req.normalizedPath)
-  req.sourceFile      = terraform.helpers.findFirstFile(req.setup.publicPath, req.priorityList)
-  return next()
-}
-
-
 /**
  * Deny Symlink
  */
@@ -583,28 +575,16 @@ exports.denySymlink = function(options){
   options = options || {}
 
   return function(req, rsp, next){
-    if (!req.sourceFile)                            return next()
     if (!options.hasOwnProperty("deny-symlinks")) return next()
-    if (!options["deny-symlinks"] === false)      return next()
-
-    req.sourceFilePath = path.join(req.setup.publicPath, req.sourceFile)
-    fs.lstat(req.sourceFilePath, function(err, stats) {
+    if (options["deny-symlinks"] === false) return next()
+    var sourceFilePath = path.join(req.setup.publicPath, helpers.normalizeUrl(req.url))
+    fs.lstat(sourceFilePath, function(err, stats) {
       if (!stats.isSymbolicLink()) return next()
-      if (stats.isSymbolicLink()) {
-        fs.readlink(req.sourceFile, function (err, symlinkTo) {
-          // forbidding access if the symlink points to a file outside of the project's base directory to prevent path traversal
-          var projectPath = path.dirname(require.main.filename) // full path of the project's main file
-          var symlinkPath = path.dirname(symlinkTo)             // full path of the symlink
-          if (projectPath !== symlinkPath) {
-            var body = "403 Forbidden"
-            rsp.statusCode = 403
-            rsp.end(body)
-          }
-        })
-      }
+      var body = "403 Forbidden"
+      rsp.statusCode = 403
+      rsp.end(body)
     })
   }
-
 }