SECURITY FIX

* Do not allow relative paths to route outside of www static root area
This commit is contained in:
Bryan Ashby 2020-11-27 12:50:57 -07:00
parent 50b35d8cac
commit cd3b495e6c
No known key found for this signature in database
GPG Key ID: B49EB437951D2542
1 changed files with 13 additions and 3 deletions

View File

@ -215,20 +215,22 @@ exports.getModule = class WebServerModule extends ServerModule {
routeIndex(req, resp) { routeIndex(req, resp) {
const filePath = paths.join(Config().contentServers.web.staticRoot, 'index.html'); const filePath = paths.join(Config().contentServers.web.staticRoot, 'index.html');
return this.returnStaticPage(filePath, resp); return this.returnStaticPage(filePath, resp);
} }
routeStaticFile(req, resp) { routeStaticFile(req, resp) {
const fileName = req.url.substr(req.url.indexOf('/', 1)); const fileName = req.url.substr(req.url.indexOf('/', 1));
const filePath = paths.join(Config().contentServers.web.staticRoot, fileName); const filePath = this.resolveStaticPath(fileName);
return this.returnStaticPage(filePath, resp); return this.returnStaticPage(filePath, resp);
} }
returnStaticPage(filePath, resp) { returnStaticPage(filePath, resp) {
const self = this; const self = this;
if (!filePath) {
return this.fileNotFound(resp);
}
fs.stat(filePath, (err, stats) => { fs.stat(filePath, (err, stats) => {
if(err || !stats.isFile()) { if(err || !stats.isFile()) {
return self.fileNotFound(resp); return self.fileNotFound(resp);
@ -245,6 +247,14 @@ exports.getModule = class WebServerModule extends ServerModule {
}); });
} }
resolveStaticPath(requestPath) {
const staticRoot = _.get(Config(), 'contentServers.web.staticRoot');
const path = paths.resolve(staticRoot, `.${requestPath}`);
if (path.startsWith(staticRoot)) {
return path;
}
}
routeTemplateFilePage(templatePath, preprocessCallback, resp) { routeTemplateFilePage(templatePath, preprocessCallback, resp) {
const self = this; const self = this;