node-http-server – Blame information for rev 8
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
8 | office | 1 | #!/usr/bin/env node |
2 | /////////////////////////////////////////////////////////////////////////// |
||
3 | // Copyright (C) 2017 Wizardry and Steamworks - License: GNU GPLv3 // |
||
4 | /////////////////////////////////////////////////////////////////////////// |
||
5 | |||
6 | const url = require('url'); |
||
7 | const path = require('path'); |
||
8 | const fs = require('fs'); |
||
9 | const mime = require('mime'); |
||
10 | |||
11 | // Check for path traversal. |
||
12 | function isRooted(userPath, rootPath, separator) { |
||
13 | userPath = userPath.split(separator).filter(Boolean); |
||
14 | rootPath = rootPath.split(separator).filter(Boolean); |
||
15 | return userPath.length >= rootPath.length && |
||
16 | rootPath.every((e, i) => e === userPath[i]); |
||
17 | } |
||
18 | |||
19 | module.exports = { |
||
20 | error: { |
||
21 | level: { |
||
22 | INFO: 1, |
||
23 | WARN: 2, |
||
24 | ERROR: 3 |
||
25 | } |
||
26 | }, |
||
27 | handleClient: (config, request, response, root, callback) => { |
||
28 | process.nextTick(() => { |
||
29 | const requestAddress = request.socket.address(); |
||
30 | const requestedURL = url.parse(request.url, true); |
||
31 | |||
32 | callback('Client: ' + |
||
33 | requestAddress.address + ':' + |
||
34 | requestAddress.port + |
||
35 | ' accessing: ' + |
||
36 | requestedURL.pathname, |
||
37 | module.exports.error.level.INFO |
||
38 | ); |
||
39 | |||
40 | const trimmedPath = requestedURL |
||
41 | .pathname |
||
42 | .split('/') |
||
43 | .filter(Boolean) |
||
44 | .join('/'); |
||
45 | const filesystemPath = trimmedPath === '/' ? |
||
46 | path.join(root, trimmedPath) : |
||
47 | path.resolve(root, trimmedPath); |
||
48 | |||
49 | if (!isRooted(filesystemPath, root, path.sep)) { |
||
50 | callback('Attempted path traversal: ' + |
||
51 | requestAddress.address + ':' + |
||
52 | requestAddress.port + |
||
53 | ' requesting: ' + |
||
54 | requestedURL.pathname, |
||
55 | module.exports.error.level.WARN |
||
56 | ); |
||
57 | response.statusCode = 403; |
||
58 | response.end(); |
||
59 | return; |
||
60 | } |
||
61 | |||
62 | fs.stat(filesystemPath, (error, stats) => { |
||
63 | // Document does not exist. |
||
64 | if (error) { |
||
65 | response.statusCode = 404; |
||
66 | response.end(); |
||
67 | return; |
||
68 | } |
||
69 | |||
70 | switch (stats.isDirectory()) { |
||
71 | case true: // Directory is requested so provide directory indexes. |
||
72 | const root = path.resolve(filesystemPath, config.site.index); |
||
73 | fs.stat(root, (error, stats) => { |
||
74 | if (error) { |
||
75 | fs.readdir(filesystemPath, (error, paths) => { |
||
76 | if (error) { |
||
77 | callback('Could not list directory: ' + |
||
78 | filesystemPath, |
||
79 | module.exports.error.level.ERROR |
||
80 | ); |
||
81 | response.statusCode = 500; |
||
82 | response.end(); |
||
83 | return; |
||
84 | } |
||
85 | callback('Directory listing requested for: ' + |
||
86 | filesystemPath, |
||
87 | module.exports.error.level.INFO |
||
88 | ); |
||
89 | response.statusCode = 200; |
||
90 | response.write(JSON.stringify(paths)); |
||
91 | response.end(); |
||
92 | }); |
||
93 | |||
94 | return; |
||
95 | } |
||
96 | |||
97 | fs.access(filesystemPath, fs.constants.R_OK, (error) => { |
||
98 | if (error) { |
||
99 | callback('The server was unable to access the filesystem path: ' + |
||
100 | filesystemPath, |
||
101 | module.exports.error.level.WARN |
||
102 | ); |
||
103 | response.statusCode = 403; |
||
104 | response.end(); |
||
105 | return; |
||
106 | } |
||
107 | |||
108 | // Set MIME content type. |
||
109 | response.setHeader('Content-Type', mime.lookup(root)); |
||
110 | |||
111 | var readStream = fs.createReadStream(root) |
||
112 | .on('open', () => { |
||
113 | response.statusCode = 200; |
||
114 | readStream.pipe(response); |
||
115 | }) |
||
116 | .on('error', () => { |
||
117 | response.statusCode = 500; |
||
118 | response.end(); |
||
119 | }); |
||
120 | |||
121 | }); |
||
122 | |||
123 | }); |
||
124 | break; |
||
125 | default: // Browser requesting file. |
||
126 | // Check if the file is accessible. |
||
127 | fs.access(filesystemPath, fs.constants.R_OK, (error) => { |
||
128 | if (error) { |
||
129 | response.statusCode = 403; |
||
130 | response.end(); |
||
131 | return; |
||
132 | } |
||
133 | |||
134 | response.setHeader('Content-Type', mime.lookup(filesystemPath)); |
||
135 | |||
136 | var readStream = fs.createReadStream(filesystemPath) |
||
137 | .on('open', () => { |
||
138 | response.statusCode = 200; |
||
139 | readStream.pipe(response); |
||
140 | }) |
||
141 | .on('error', () => { |
||
142 | response.statusCode = 500; |
||
143 | response.end(); |
||
144 | }); |
||
145 | |||
146 | }); |
||
147 | break; |
||
148 | } |
||
149 | }) |
||
150 | }); |
||
151 | } |
||
152 | }; |