| /src/handler.js |
|---|
| @@ -9,7 +9,7 @@ |
|---|
| const fs = require('fs'); |
| const mime = require('mime'); |
| |
| // Check for path traversal. |
| // Checks whether userPath is a child of rootPath |
| function isRooted(userPath, rootPath, separator) { |
| userPath = userPath.split(separator).filter(Boolean); |
| rootPath = rootPath.split(separator).filter(Boolean); |
| @@ -25,18 +25,20 @@ |
|---|
| ERROR: 3 |
| } |
| }, |
| handleClient: (config, request, response, root, callback) => { |
| process: (config, request, response, root, callback) => { |
| process.nextTick(() => { |
| const requestAddress = request.socket.address(); |
| const requestedURL = url.parse(request.url, true); |
| |
| callback('Client: ' + |
| requestAddress.address + ':' + |
| requestAddress.port + |
| ' accessing: ' + |
| requestedURL.pathname, |
| module.exports.error.level.INFO |
| ); |
| process.nextTick(() => { |
| callback('Client: ' + |
| requestAddress.address + ':' + |
| requestAddress.port + |
| ' accessing: ' + |
| requestedURL.pathname, |
| module.exports.error.level.INFO |
| ); |
| }); |
| |
| const trimmedPath = requestedURL |
| .pathname |
| @@ -48,13 +50,15 @@ |
|---|
| path.resolve(root, trimmedPath); |
| |
| if (!isRooted(filesystemPath, root, path.sep)) { |
| callback('Attempted path traversal: ' + |
| requestAddress.address + ':' + |
| requestAddress.port + |
| ' requesting: ' + |
| requestedURL.pathname, |
| module.exports.error.level.WARN |
| ); |
| process.nextTick(() => { |
| callback('Attempted path traversal: ' + |
| requestAddress.address + ':' + |
| requestAddress.port + |
| ' requesting: ' + |
| requestedURL.pathname, |
| module.exports.error.level.WARN |
| ); |
| }); |
| response.statusCode = 403; |
| response.end(); |
| return; |
| @@ -75,18 +79,22 @@ |
|---|
| if (error) { |
| fs.readdir(filesystemPath, (error, paths) => { |
| if (error) { |
| callback('Could not list directory: ' + |
| filesystemPath, |
| module.exports.error.level.ERROR |
| ); |
| process.nextTick(() => { |
| callback('Could not list directory: ' + |
| filesystemPath, |
| module.exports.error.level.ERROR |
| ); |
| }); |
| response.statusCode = 500; |
| response.end(); |
| return; |
| } |
| callback('Directory listing requested for: ' + |
| filesystemPath, |
| module.exports.error.level.INFO |
| ); |
| process.nextTick(() => { |
| callback('Directory listing requested for: ' + |
| filesystemPath, |
| module.exports.error.level.INFO |
| ); |
| }); |
| response.statusCode = 200; |
| response.write(JSON.stringify(paths)); |
| response.end(); |
| @@ -97,10 +105,12 @@ |
|---|
| |
| fs.access(filesystemPath, fs.constants.R_OK, (error) => { |
| if (error) { |
| callback('The server was unable to access the filesystem path: ' + |
| filesystemPath, |
| module.exports.error.level.WARN |
| ); |
| process.nextTick(() => { |
| callback('The server was unable to access the filesystem path: ' + |
| filesystemPath, |
| module.exports.error.level.WARN |
| ); |
| }); |
| response.statusCode = 403; |
| response.end(); |
| return; |
