Skip to content

Commit

Permalink
Merge branch 'fix-dir-traversal-error'
Browse files Browse the repository at this point in the history
  • Loading branch information
arunoda committed Jun 1, 2017
2 parents 442c611 + 43c447e commit 02fe7cf
Showing 1 changed file with 18 additions and 1 deletion.
19 changes: 18 additions & 1 deletion server/index.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import { resolve, join } from 'path'
import { resolve, join, sep } from 'path'
import { parse as parseUrl } from 'url'
import { parse as parseQs } from 'querystring'
import fs from 'fs'
Expand Down Expand Up @@ -295,6 +295,10 @@ export default class Server {
}

async serveStatic (req, res, path) {
if (!this.isServeableUrl(path)) {
return this.render404(req, res)
}

try {
return await serveStatic(req, res, path)
} catch (err) {
Expand All @@ -306,6 +310,19 @@ export default class Server {
}
}

isServeableUrl (path) {
const resolved = resolve(path)
if (
resolved.indexOf(join(this.dir, this.dist) + sep) !== 0 &&
resolved.indexOf(join(this.dir, 'static') + sep) !== 0
) {
// Seems like the user is trying to traverse the filesystem.
return false
}

return true
}

isInternalUrl (req) {
for (const prefix of internalPrefixes) {
if (prefix.test(req.url)) {
Expand Down

0 comments on commit 02fe7cf

Please sign in to comment.