Fix a path traversal issue when using root

fixes #59
fixes #60

History.md

@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Fix a path traversal issue when using `root`
+
 0.8.3 / 2014-08-16
 ==================
 

lib/send.js

@@ -412,7 +412,7 @@ SendStream.prototype.pipe = function(res){
   if (root !== null) {
     // join / normalize from optional root dir
     path = normalize(join(root, path))
-    root = normalize(root)
+    root = normalize(root + sep)
 
     // malicious path
     if (path.substr(0, root.length) !== root) {
@@ -421,7 +421,7 @@ SendStream.prototype.pipe = function(res){
     }
 
     // explode path parts
-    parts = path.substr(root.length + 1).split(sep)
+    parts = path.substr(root.length).split(sep)
   } else {
     // ".." is malicious without "root"
     if (upPathRegexp.test(path)) {

test/fixtures/name.d/name.txt

@@ -0,0 +1 @@
+loki

test/send.js

@@ -1097,6 +1097,17 @@ describe('send(file, options)', function(){
         .expect(200, 'tobi', done)
       })
 
+      it('should with with trailing slash', function(done){
+        var app = http.createServer(function(req, res){
+          send(req, req.url, {root: __dirname + '/fixtures/'})
+          .pipe(res);
+        });
+
+        request(app)
+        .get('/name.txt')
+        .expect(200, 'tobi', done)
+      })
+
       it('should restrict paths to within root', function(done){
         var app = http.createServer(function(req, res){
           send(req, req.url, {root: __dirname + '/fixtures'})
@@ -1118,6 +1129,17 @@ describe('send(file, options)', function(){
         .get('/pets/../../send.js')
         .expect(403, done)
       })
+
+      it('should not allow root transversal', function(done){
+        var app = http.createServer(function(req, res){
+          send(req, req.url, {root: __dirname + '/fixtures/name.d'})
+          .pipe(res);
+        });
+
+        request(app)
+        .get('/../name.dir/name.txt')
+        .expect(403, done)
+      })
     })
 
     describe('when missing', function(){