Skip to content

Commit

Permalink
Fix path traversal issue
Browse files Browse the repository at this point in the history
  • Loading branch information
@thgh
thgh committed Jul 17, 2020
1 parent 71cc20d commit 3d144f2
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 2 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

All notable changes to `rollup-plugin-serve` will be documented in this file.

## [1.0.2] - 2020-07-17
### Fixed
- Fix path traversal issue

## [1.0.1] - 2019-01-27
### Added
- Add Intellisense support #34
Expand Down
7 changes: 5 additions & 2 deletions src/index.js
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import { readFile } from 'fs'
import { createServer as createHttpsServer } from 'https'
import { createServer } from 'http'
import { resolve } from 'path'
import { resolve, normalize } from 'path'

import mime from 'mime'
import opener from 'opener'
Expand All @@ -26,7 +26,10 @@ function serve (options = { contentBase: '' }) {

const requestListener = (request, response) => {
// Remove querystring
const urlPath = decodeURI(request.url.split('?')[0])
const unsafePath = decodeURI(request.url.split('?')[0])

// Don't allow path traversal
const urlPath = normalize(unsafePath)

Object.keys(options.headers).forEach((key) => {
response.setHeader(key, options.headers[key])
Expand Down

0 comments on commit 3d144f2

Please sign in to comment.