tenkuma/zephyrus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Sanitized paths

Browse source
This commit is contained in:
Adrian Victor 2024-11-16 21:22:51 -03:00
commit 0dad0cce04
1 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
zephyrus.ts
View file

@ -22,8 +22,8 @@ if(config.useHTTPS) {
function requestHandler(request: IncomingMessage, response: ServerResponse) { function requestHandler(request: IncomingMessage, response: ServerResponse) {
const parsed = url.parse(request.url || '/', true); const parsed = url.parse(request.url || '/', true);
const path_ = decodeURI(parsed.pathname || '/'); const path_ = decodeURI(parsed.pathname || '/');
const serversidePath = path.join(config.serverRoot + path_); const serversidePath = path.resolve(config.serverRoot + path_);
const defaultPagePath = path.join(config.serverRoot + config.defaultPage); const defaultPagePath = path.resolve(config.serverRoot + config.defaultPage);
const finalPath = (config.useDefaultPage && request.url == '/') ? path.normalize(defaultPagePath) : serversidePath; const finalPath = (config.useDefaultPage && request.url == '/') ? path.normalize(defaultPagePath) : serversidePath;
// console.log(finalPath) // console.log(finalPath)
@ -71,7 +71,7 @@ function requestHandler(request: IncomingMessage, response: ServerResponse) {
} }
// console.log(`Requested ${path_}, accessing ${config.useDefaultPage && request.url == '/' ? defaultPagePath : serversidePath}`) // console.log(`Requested ${path_}, accessing ${config.useDefaultPage && request.url == '/' ? defaultPagePath : serversidePath}`)
if (!finalPath.startsWith(path.normalize(config.serverRoot))) { if (!finalPath.startsWith(path.resolve(config.serverRoot))) {
showError(403, undefined, `someone is trying to access files (${finalPath}) outside server root (${config.serverRoot})`) showError(403, undefined, `someone is trying to access files (${finalPath}) outside server root (${config.serverRoot})`)
return; return;
} }