/src/handler.js |
@@ -9,7 +9,7 @@ |
const fs = require('fs'); |
const mime = require('mime'); |
const auth = require("http-auth"); |
const JSONStream = require('JSONStream'); |
const stream = require('stream'); |
|
// Checks whether userPath is a child of rootPath. |
function isRooted(userPath, rootPath, separator, callback) { |
@@ -24,7 +24,6 @@ |
// Check if the file is accessible. |
fs.access(file, fs.constants.R_OK, (error) => { |
if (error) { |
process.nextTick(() => { |
callback({ |
message: 'Client: ' + |
client.address + ':' + |
@@ -31,14 +30,18 @@ |
client.port + |
' requesting inaccessible path: ' + |
file, |
severity: 'warning', |
status: 403 |
|
severity: 'warning' |
}, { |
status: 403, |
data: new stream.Readable({ |
read(size) { |
this.push(null); |
} |
}), |
type: 'text/plain' |
}); |
}); |
return; |
} |
process.nextTick(() => { |
callback({ |
message: 'Client: ' + |
client.address + ':' + |
@@ -45,7 +48,8 @@ |
client.port + |
' sent file: ' + |
file, |
severity: 'info', |
severity: 'info' |
}, { |
status: 200, |
data: fs |
.createReadStream(file), |
@@ -53,8 +57,6 @@ |
.lookup(file) |
}); |
}); |
|
}); |
} |
|
// Serves a directory listing or the document index in case it exists. |
@@ -67,7 +69,7 @@ |
directory.toUpperCase() === href.toUpperCase())) { |
fs.readdir(directory, (error, paths) => { |
if (error) { |
process.nextTick(() => { |
console.log("listing forbidden..."); |
callback({ |
message: 'Client: ' + |
client.address + ':' + |
@@ -74,13 +76,19 @@ |
client.port + |
' could not access directory: ' + |
directory, |
severity: 'warning', |
status: 500 |
severity: 'warning' |
}, { |
status: 500, |
data: new stream.Readable({ |
read(size) { |
this.push(null); |
} |
}), |
type: 'text/plain' |
}); |
}); |
return; |
} |
process.nextTick(() => { |
console.log("sending listing..."); |
callback({ |
message: 'Client: ' + |
client.address + ':' + |
@@ -87,16 +95,22 @@ |
client.port + |
' accessed directory listing: ' + |
directory, |
severity: 'warning', |
severity: 'info' |
}, { |
status: 200, |
data: JSONStream.parse(paths) |
data: new stream.Readable({ |
read(size) { |
this.push(JSON.stringify(paths)); |
this.push(null); |
} |
}), |
type: 'application/json' |
}); |
}); |
}); |
return; |
} |
// Could not access directory index file and directory listing not allowed. |
process.nextTick(() => { |
console.log("no dirindex..."); |
callback({ |
message: 'Client: ' + |
client.address + ':' + |
@@ -103,18 +117,22 @@ |
client.port + |
' no index file found and accessing forbiden index: ' + |
href, |
severity: 'warning', |
status: 400 |
severity: 'warning' |
}, { |
status: 403, |
data: new stream.Readable({ |
read(size) { |
this.push(null); |
} |
}), |
type: 'text/plain' |
}); |
}); |
return; |
|
} |
|
// Serve the document index. |
fs.access(root, fs.constants.R_OK, (error) => { |
if (error) { |
process.nextTick(() => { |
callback({ |
message: 'Client: ' + |
client.address + ':' + |
@@ -121,13 +139,18 @@ |
client.port + |
' unable to access path: ' + |
directory, |
severity: 'warning', |
status: 403 |
severity: 'warning' |
}, { |
status: 403, |
data: new stream.Readable({ |
read(size) { |
this.push(null); |
} |
}), |
type: 'text/plain' |
}); |
}); |
return; |
} |
process.nextTick(() => { |
callback({ |
message: 'Client: ' + |
client.address + ':' + |
@@ -134,7 +157,8 @@ |
client.port + |
' sent file: ' + |
root, |
severity: 'info', |
severity: 'info' |
}, { |
status: 200, |
data: fs.createReadStream(root), |
type: mime.lookup(root) |
@@ -141,7 +165,6 @@ |
}); |
}); |
}); |
}); |
} |
|
// Determines whether the requested filesystem request path is a directory or a file. |
@@ -155,8 +178,15 @@ |
address.port + |
' accessing non-existent document: ' + |
local, |
severity: 'warning', |
status: 404 |
severity: 'warning' |
}, { |
status: 404, |
data: new stream.Readable({ |
read(size) { |
this.push(null); |
} |
}), |
type: 'text/plain' |
}); |
return; |
} |
@@ -173,7 +203,6 @@ |
// then there is no file to serve. |
if (config.site.reject.some((expression) => expression.test(file)) || |
!config.site.accept.some((expression) => expression.test(file))) { |
process.nextTick(() => { |
callback({ |
message: 'Client: ' + |
address.address + ':' + |
@@ -180,10 +209,16 @@ |
address.port + |
' requested disallowed file: ' + |
file, |
severity: 'warning', |
status: 404 |
severity: 'warning' |
}, { |
status: 404, |
data: new stream.Readable({ |
read(size) { |
this.push(null); |
} |
}), |
type: 'text/plain' |
}); |
}); |
return; |
} |
|
@@ -195,7 +230,6 @@ |
|
module.exports = { |
process: (config, request, response, root, callback) => { |
process.nextTick(() => { |
const requestAddress = request.socket.address(); |
const requestURL = url.parse( |
request.url, true |
@@ -241,7 +275,6 @@ |
fs.realpath(requestPath, (error, resolvedPath) => { |
// If the path does not exist, then return early. |
if (error) { |
process.nextTick(() => { |
callback({ |
message: 'Unknown path requested: ' + |
requestAddress.address + ':' + |
@@ -248,10 +281,16 @@ |
requestAddress.port + |
' requesting: ' + |
requestURL.pathname, |
severity: 'warning', |
status: 404 |
severity: 'warning' |
}, { |
status: 404, |
data: new stream.Readable({ |
read(size) { |
this.push(null); |
} |
}), |
type: 'text/plain' |
}); |
}); |
return; |
} |
// Check for path traversals early on and bail if the requested path does not |
@@ -258,7 +297,6 @@ |
// lie within the specified document root. |
isRooted(resolvedPath, root, path.sep, (rooted) => { |
if (!rooted) { |
process.nextTick(() => { |
callback({ |
message: 'Attempted path traversal: ' + |
requestAddress.address + ':' + |
@@ -265,10 +303,16 @@ |
requestAddress.port + |
' requesting: ' + |
requestURL.pathname, |
severity: 'warning', |
status: 404 |
severity: 'warning' |
}, { |
status: 404, |
data: new stream.Readable({ |
read(size) { |
this.push(null); |
} |
}), |
type: 'text/plain' |
}); |
}); |
return; |
} |
|
@@ -285,7 +329,6 @@ |
}); |
// Requested location requires authentication. |
authentication.check(request, response, (request, response) => { |
process.nextTick(() => { |
callback({ |
message: 'Authenticated client: ' + |
requestAddress.address + ':' + |
@@ -294,7 +337,6 @@ |
requestURL.pathname, |
severity: 'info' |
}); |
}); |
serve(config, |
requestPath, |
requestURL.pathname, |
@@ -306,7 +348,6 @@ |
} |
|
// If no authentication is required then serve the request. |
process.nextTick(() => { |
callback({ |
message: 'Client: ' + |
requestAddress.address + ':' + |
@@ -315,7 +356,6 @@ |
requestURL.pathname, |
severity: 'info' |
}); |
}); |
serve(config, |
requestPath, |
requestURL.pathname, |
@@ -324,6 +364,5 @@ |
); |
}); |
}); |
}); |
} |
}; |