/src/handler.js |
@@ -0,0 +1,152 @@ |
#!/usr/bin/env node |
/////////////////////////////////////////////////////////////////////////// |
// Copyright (C) 2017 Wizardry and Steamworks - License: GNU GPLv3 // |
/////////////////////////////////////////////////////////////////////////// |
|
const url = require('url'); |
const path = require('path'); |
const fs = require('fs'); |
const mime = require('mime'); |
|
// Check for path traversal. |
function isRooted(userPath, rootPath, separator) { |
userPath = userPath.split(separator).filter(Boolean); |
rootPath = rootPath.split(separator).filter(Boolean); |
return userPath.length >= rootPath.length && |
rootPath.every((e, i) => e === userPath[i]); |
} |
|
module.exports = { |
error: { |
level: { |
INFO: 1, |
WARN: 2, |
ERROR: 3 |
} |
}, |
handleClient: (config, request, response, root, callback) => { |
process.nextTick(() => { |
const requestAddress = request.socket.address(); |
const requestedURL = url.parse(request.url, true); |
|
callback('Client: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' accessing: ' + |
requestedURL.pathname, |
module.exports.error.level.INFO |
); |
|
const trimmedPath = requestedURL |
.pathname |
.split('/') |
.filter(Boolean) |
.join('/'); |
const filesystemPath = trimmedPath === '/' ? |
path.join(root, trimmedPath) : |
path.resolve(root, trimmedPath); |
|
if (!isRooted(filesystemPath, root, path.sep)) { |
callback('Attempted path traversal: ' + |
requestAddress.address + ':' + |
requestAddress.port + |
' requesting: ' + |
requestedURL.pathname, |
module.exports.error.level.WARN |
); |
response.statusCode = 403; |
response.end(); |
return; |
} |
|
fs.stat(filesystemPath, (error, stats) => { |
// Document does not exist. |
if (error) { |
response.statusCode = 404; |
response.end(); |
return; |
} |
|
switch (stats.isDirectory()) { |
case true: // Directory is requested so provide directory indexes. |
const root = path.resolve(filesystemPath, config.site.index); |
fs.stat(root, (error, stats) => { |
if (error) { |
fs.readdir(filesystemPath, (error, paths) => { |
if (error) { |
callback('Could not list directory: ' + |
filesystemPath, |
module.exports.error.level.ERROR |
); |
response.statusCode = 500; |
response.end(); |
return; |
} |
callback('Directory listing requested for: ' + |
filesystemPath, |
module.exports.error.level.INFO |
); |
response.statusCode = 200; |
response.write(JSON.stringify(paths)); |
response.end(); |
}); |
|
return; |
} |
|
fs.access(filesystemPath, fs.constants.R_OK, (error) => { |
if (error) { |
callback('The server was unable to access the filesystem path: ' + |
filesystemPath, |
module.exports.error.level.WARN |
); |
response.statusCode = 403; |
response.end(); |
return; |
} |
|
// Set MIME content type. |
response.setHeader('Content-Type', mime.lookup(root)); |
|
var readStream = fs.createReadStream(root) |
.on('open', () => { |
response.statusCode = 200; |
readStream.pipe(response); |
}) |
.on('error', () => { |
response.statusCode = 500; |
response.end(); |
}); |
|
}); |
|
}); |
break; |
default: // Browser requesting file. |
// Check if the file is accessible. |
fs.access(filesystemPath, fs.constants.R_OK, (error) => { |
if (error) { |
response.statusCode = 403; |
response.end(); |
return; |
} |
|
response.setHeader('Content-Type', mime.lookup(filesystemPath)); |
|
var readStream = fs.createReadStream(filesystemPath) |
.on('open', () => { |
response.statusCode = 200; |
readStream.pipe(response); |
}) |
.on('error', () => { |
response.statusCode = 500; |
response.end(); |
}); |
|
}); |
break; |
} |
}) |
}); |
} |
}; |