/server.js |
@@ -83,7 +83,7 @@ |
http.createServer( |
// authentication, |
(request, response) => |
handler.handleClient(config, request, response, root, (error, level) => { |
handler.process(config, request, response, root, (error, level) => { |
switch (level) { |
case handler.error.level.INFO: |
log.info(error); |
@@ -121,7 +121,7 @@ |
cert: certificates.certificate, |
}, |
(request, response) => |
handler.handleClient(config, request, response, root, (error, level) => { |
handler.process(config, request, response, root, (error, level) => { |
switch (level) { |
case handler.error.level.INFO: |
log.info(error); |
/src/handler.js |
@@ -9,7 +9,7 @@ |
const fs = require('fs'); |
const mime = require('mime'); |
|
// Check for path traversal. |
// Checks whether userPath is a child of rootPath |
function isRooted(userPath, rootPath, separator) { |
userPath = userPath.split(separator).filter(Boolean); |
rootPath = rootPath.split(separator).filter(Boolean); |
@@ -25,18 +25,20 @@ |
ERROR: 3 |
} |
}, |
handleClient: (config, request, response, root, callback) => { |
process: (config, request, response, root, callback) => { |
process.nextTick(() => { |
const requestAddress = request.socket.address(); |
const requestedURL = url.parse(request.url, true); |
|
callback('Client: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' accessing: ' + |
requestedURL.pathname, |
module.exports.error.level.INFO |
); |
process.nextTick(() => { |
callback('Client: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' accessing: ' + |
requestedURL.pathname, |
module.exports.error.level.INFO |
); |
}); |
|
const trimmedPath = requestedURL |
.pathname |
@@ -48,13 +50,15 @@ |
path.resolve(root, trimmedPath); |
|
if (!isRooted(filesystemPath, root, path.sep)) { |
callback('Attempted path traversal: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' requesting: ' + |
requestedURL.pathname, |
module.exports.error.level.WARN |
); |
process.nextTick(() => { |
callback('Attempted path traversal: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' requesting: ' + |
requestedURL.pathname, |
module.exports.error.level.WARN |
); |
}); |
response.statusCode = 403; |
response.end(); |
return; |
@@ -75,18 +79,22 @@ |
if (error) { |
fs.readdir(filesystemPath, (error, paths) => { |
if (error) { |
callback('Could not list directory: ' + |
filesystemPath, |
module.exports.error.level.ERROR |
); |
process.nextTick(() => { |
callback('Could not list directory: ' + |
filesystemPath, |
module.exports.error.level.ERROR |
); |
}); |
response.statusCode = 500; |
response.end(); |
return; |
} |
callback('Directory listing requested for: ' + |
filesystemPath, |
module.exports.error.level.INFO |
); |
process.nextTick(() => { |
callback('Directory listing requested for: ' + |
filesystemPath, |
module.exports.error.level.INFO |
); |
}); |
response.statusCode = 200; |
response.write(JSON.stringify(paths)); |
response.end(); |
@@ -97,10 +105,12 @@ |
|
fs.access(filesystemPath, fs.constants.R_OK, (error) => { |
if (error) { |
callback('The server was unable to access the filesystem path: ' + |
filesystemPath, |
module.exports.error.level.WARN |
); |
process.nextTick(() => { |
callback('The server was unable to access the filesystem path: ' + |
filesystemPath, |
module.exports.error.level.WARN |
); |
}); |
response.statusCode = 403; |
response.end(); |
return; |