/src/handler.js |
@@ -9,6 +9,7 @@ |
const fs = require('fs'); |
const mime = require('mime'); |
const auth = require("http-auth"); |
const JSONStream = require('JSONStream'); |
|
// Checks whether userPath is a child of rootPath. |
function isRooted(userPath, rootPath, separator, callback) { |
@@ -19,97 +20,93 @@ |
} |
|
// Serves files. |
function files(config, request, response, requestPath, callback) { |
function files(config, file, client, callback) { |
// Check if the file is accessible. |
fs.access(requestPath, fs.constants.R_OK, (error) => { |
fs.access(file, fs.constants.R_OK, (error) => { |
if (error) { |
process.nextTick(() => { |
const requestAddress = request.socket.address(); |
callback('Client: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' requesting inaccessible path: ' + |
requestPath, |
module.exports.error.level.WARN |
); |
callback({ |
message: 'Client: ' + |
client.address + ':' + |
client.port + |
' requesting inaccessible path: ' + |
file, |
severity: 'warning', |
status: 403 |
|
}); |
}); |
response.statusCode = 403; |
response.end(); |
return; |
} |
|
response.setHeader( |
'Content-Type', |
mime.lookup(requestPath) |
); |
|
var readStream = fs.createReadStream(requestPath) |
.on('open', () => { |
response.statusCode = 200; |
readStream.pipe(response); |
}) |
.on('error', () => { |
response.statusCode = 500; |
response.end(); |
process.nextTick(() => { |
callback({ |
message: 'Client: ' + |
client.address + ':' + |
client.port + |
' sent file: ' + |
file, |
severity: 'info', |
status: 200, |
data: fs |
.createReadStream(file), |
type: mime |
.lookup(file) |
}); |
}); |
|
}); |
} |
|
// Serves a directory listing or the document index in case it exists. |
function index(config, request, response, requestPath, requestURL, callback) { |
const root = path.resolve(requestPath, config.site.index); |
function index(config, directory, href, client, callback) { |
const root = path.resolve(directory, config.site.index); |
fs.stat(root, (error, stats) => { |
if (error) { |
if (config.site.indexing |
.some((directory) => |
directory.toUpperCase() === requestURL.toUpperCase())) { |
fs.readdir(requestPath, (error, paths) => { |
directory.toUpperCase() === href.toUpperCase())) { |
fs.readdir(directory, (error, paths) => { |
if (error) { |
process.nextTick(() => { |
const requestAddress = request.socket.address(); |
callback('Client: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' could not access directory: ' + |
requestPath, |
module.exports.error.level.WARN |
); |
callback({ |
message: 'Client: ' + |
client.address + ':' + |
client.port + |
' could not access directory: ' + |
directory, |
severity: 'warning', |
status: 500 |
}); |
}); |
response.statusCode = 500; |
response.end(); |
return; |
} |
process.nextTick(() => { |
const requestAddress = request.socket.address(); |
callback('Client: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' accessed directory listing: ' + |
requestPath, |
module.exports.error.level.WARN |
); |
callback({ |
message: 'Client: ' + |
client.address + ':' + |
client.port + |
' accessed directory listing: ' + |
directory, |
severity: 'warning', |
status: 200, |
data: JSONStream.parse(paths) |
}); |
}); |
response.statusCode = 200; |
response.write(JSON.stringify(paths)); |
response.end(); |
}); |
|
return; |
} |
// Could not access directory index file and directory listing not allowed. |
process.nextTick(() => { |
const requestAddress = request.socket.address(); |
callback('Client: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' accessing forbiden index: ' + |
requestURL, |
module.exports.error.level.WARN |
); |
callback({ |
message: 'Client: ' + |
client.address + ':' + |
client.port + |
' no index file found and accessing forbiden index: ' + |
href, |
severity: 'warning', |
status: 400 |
}); |
}); |
// Could not access directory index file and directory listing not allowed. |
response.statusCode = 404; |
response.end(); |
return; |
|
} |
@@ -118,57 +115,59 @@ |
fs.access(root, fs.constants.R_OK, (error) => { |
if (error) { |
process.nextTick(() => { |
const requestAddress = request.socket.address(); |
callback('Client: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' unable to access path: ' + |
requestPath, |
module.exports.error.level.WARN |
); |
callback({ |
message: 'Client: ' + |
client.address + ':' + |
client.port + |
' unable to access path: ' + |
directory, |
severity: 'warning', |
status: 403 |
}); |
}); |
response.statusCode = 403; |
response.end(); |
return; |
} |
|
// Set MIME content type. |
response.setHeader( |
'Content-Type', |
mime.lookup(root) |
); |
|
var readStream = fs.createReadStream(root) |
.on('open', () => { |
response.statusCode = 200; |
readStream.pipe(response); |
}) |
.on('error', () => { |
response.statusCode = 500; |
response.end(); |
process.nextTick(() => { |
callback({ |
message: 'Client: ' + |
client.address + ':' + |
client.port + |
' sent file: ' + |
root, |
severity: 'info', |
status: 200, |
data: fs.createReadStream(root), |
type: mime.lookup(root) |
}); |
|
}); |
}); |
}); |
} |
|
// Determines whether the requested filesystem request path is a directory or a file. |
function serve(config, request, response, requestPath, requestURL, callback) { |
fs.stat(requestPath, (error, stats) => { |
function serve(config, local, href, address, callback) { |
fs.stat(local, (error, stats) => { |
// Document does not exist. |
if (error) { |
response.statusCode = 404; |
response.end(); |
callback({ |
message: 'Client: ' + |
address.address + ':' + |
address.port + |
' accessing non-existent document: ' + |
local, |
severity: 'warning', |
status: 404 |
}); |
return; |
} |
|
if (stats.isDirectory()) { |
// Directory is requested so provide directory indexes. |
index(config, request, response, requestPath, requestURL, callback); |
index(config, local, href, address, callback); |
return; |
} |
if (stats.isFile()) { |
const file = path.parse(requestPath).base; |
const file = path.parse(local).base; |
|
// If the file matches the reject list or is not in the accept list, |
// then there is no file to serve. |
@@ -175,34 +174,26 @@ |
if (config.site.reject.some((expression) => expression.test(file)) || |
!config.site.accept.some((expression) => expression.test(file))) { |
process.nextTick(() => { |
const requestAddress = request.socket.address(); |
callback('Client: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' requested disallowed file: ' + |
file, |
module.exports.error.level.WARN |
); |
callback({ |
message: 'Client: ' + |
address.address + ':' + |
address.port + |
' requested disallowed file: ' + |
file, |
severity: 'warning', |
status: 404 |
}); |
}); |
response.statusCode = 404; |
response.end(); |
return; |
} |
|
// A file was requested so provide the file. |
files(config, request, response, requestPath, callback); |
files(config, local, address, callback); |
} |
}); |
} |
|
module.exports = { |
error: { |
level: { |
INFO: 1, |
WARN: 2, |
ERROR: 3 |
} |
}, |
process: (config, request, response, root, callback) => { |
process.nextTick(() => { |
const requestAddress = request.socket.address(); |
@@ -228,12 +219,13 @@ |
true |
) |
.pathname; |
callback('Rewrite path: ' + |
originalPath + |
' to: ' + |
requestURL.path, |
module.exports.error.level.INFO |
); |
callback({ |
message: 'Rewrite path: ' + |
originalPath + |
' to: ' + |
requestURL.path, |
severity: 'info' |
}); |
} |
}); |
|
@@ -249,15 +241,17 @@ |
fs.realpath(requestPath, (error, resolvedPath) => { |
// If the path does not exist, then return early. |
if (error) { |
callback('Unknown path requested: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' requesting: ' + |
requestURL.pathname, |
module.exports.error.level.WARN |
); |
response.statusCode = 404; |
response.end(); |
process.nextTick(() => { |
callback({ |
message: 'Unknown path requested: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' requesting: ' + |
requestURL.pathname, |
severity: 'warning', |
status: 404 |
}); |
}); |
return; |
} |
// Check for path traversals early on and bail if the requested path does not |
@@ -265,16 +259,16 @@ |
isRooted(resolvedPath, root, path.sep, (rooted) => { |
if (!rooted) { |
process.nextTick(() => { |
callback('Attempted path traversal: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' requesting: ' + |
requestURL.pathname, |
module.exports.error.level.WARN |
); |
callback({ |
message: 'Attempted path traversal: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' requesting: ' + |
requestURL.pathname, |
severity: 'warning', |
status: 404 |
}); |
}); |
response.statusCode = 404; |
response.end(); |
return; |
} |
|
@@ -292,19 +286,19 @@ |
// Requested location requires authentication. |
authentication.check(request, response, (request, response) => { |
process.nextTick(() => { |
callback('Authenticated client: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' accessing: ' + |
requestURL.pathname, |
module.exports.error.level.INFO |
); |
callback({ |
message: 'Authenticated client: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' accessing: ' + |
requestURL.pathname, |
severity: 'info' |
}); |
}); |
serve(config, |
request, |
response, |
requestPath, |
requestURL.pathname, |
requestAddress, |
callback |
); |
}); |
@@ -313,19 +307,19 @@ |
|
// If no authentication is required then serve the request. |
process.nextTick(() => { |
callback('Client: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' accessing: ' + |
requestURL.pathname, |
module.exports.error.level.INFO |
); |
callback({ |
message: 'Client: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' accessing: ' + |
requestURL.pathname, |
severity: 'info' |
}); |
}); |
serve(config, |
request, |
response, |
requestPath, |
requestURL.pathname, |
requestAddress, |
callback |
); |
}); |