node-http-server – Diff between revs 9 and 11
?pathlinks?
| Rev 9 | Rev 11 | |||
|---|---|---|---|---|
| Line 7... | Line 7... | |||
| 7 | const url = require('url'); |
7 | const url = require('url'); |
|
| 8 | const path = require('path'); |
8 | const path = require('path'); |
|
| 9 | const fs = require('fs'); |
9 | const fs = require('fs'); |
|
| 10 | const mime = require('mime'); |
10 | const mime = require('mime'); |
|
| Line 11... | Line 11... | |||
| 11 | |
11 | |
|
| 12 | // Check for path traversal. |
12 | // Checks whether userPath is a child of rootPath |
|
| 13 | function isRooted(userPath, rootPath, separator) { |
13 | function isRooted(userPath, rootPath, separator) { |
|
| 14 | userPath = userPath.split(separator).filter(Boolean); |
14 | userPath = userPath.split(separator).filter(Boolean); |
|
| 15 | rootPath = rootPath.split(separator).filter(Boolean); |
15 | rootPath = rootPath.split(separator).filter(Boolean); |
|
| 16 | return userPath.length >= rootPath.length && |
16 | return userPath.length >= rootPath.length && |
|
| Line 23... | Line 23... | |||
| 23 | INFO: 1, |
23 | INFO: 1, |
|
| 24 | WARN: 2, |
24 | WARN: 2, |
|
| 25 | ERROR: 3 |
25 | ERROR: 3 |
|
| 26 | } |
26 | } |
|
| 27 | }, |
27 | }, |
|
| 28 | handleClient: (config, request, response, root, callback) => { |
28 | process: (config, request, response, root, callback) => { |
|
| 29 | process.nextTick(() => { |
29 | process.nextTick(() => { |
|
| 30 | const requestAddress = request.socket.address(); |
30 | const requestAddress = request.socket.address(); |
|
| 31 | const requestedURL = url.parse(request.url, true); |
31 | const requestedURL = url.parse(request.url, true); |
|
| Line -... | Line 32... | |||
| - | 32 | |
||
| 32 | |
33 | process.nextTick(() => { |
|
| 33 | callback('Client: ' + |
34 | callback('Client: ' + |
|
| 34 | requestAddress.address + ':' + |
35 | requestAddress.address + ':' + |
|
| 35 | requestAddress.port + |
36 | requestAddress.port + |
|
| 36 | ' accessing: ' + |
37 | ' accessing: ' + |
|
| 37 | requestedURL.pathname, |
38 | requestedURL.pathname, |
|
| - | 39 | module.exports.error.level.INFO |
||
| 38 | module.exports.error.level.INFO |
40 | ); |
|
| Line 39... | Line 41... | |||
| 39 | ); |
41 | }); |
|
| 40 | |
42 | |
|
| 41 | const trimmedPath = requestedURL |
43 | const trimmedPath = requestedURL |
|
| 42 | .pathname |
44 | .pathname |
|
| Line 46... | Line 48... | |||
| 46 | const filesystemPath = trimmedPath === '/' ? |
48 | const filesystemPath = trimmedPath === '/' ? |
|
| 47 | path.join(root, trimmedPath) : |
49 | path.join(root, trimmedPath) : |
|
| 48 | path.resolve(root, trimmedPath); |
50 | path.resolve(root, trimmedPath); |
|
| Line 49... | Line 51... | |||
| 49 | |
51 | |
|
| - | 52 | if (!isRooted(filesystemPath, root, path.sep)) { |
||
| 50 | if (!isRooted(filesystemPath, root, path.sep)) { |
53 | process.nextTick(() => { |
|
| 51 | callback('Attempted path traversal: ' + |
54 | callback('Attempted path traversal: ' + |
|
| 52 | requestAddress.address + ':' + |
55 | requestAddress.address + ':' + |
|
| 53 | requestAddress.port + |
56 | requestAddress.port + |
|
| 54 | ' requesting: ' + |
57 | ' requesting: ' + |
|
| 55 | requestedURL.pathname, |
58 | requestedURL.pathname, |
|
| - | 59 | module.exports.error.level.WARN |
||
| 56 | module.exports.error.level.WARN |
60 | ); |
|
| 57 | ); |
61 | }); |
|
| 58 | response.statusCode = 403; |
62 | response.statusCode = 403; |
|
| 59 | response.end(); |
63 | response.end(); |
|
| 60 | return; |
64 | return; |
|
| Line 73... | Line 77... | |||
| 73 | const root = path.resolve(filesystemPath, config.site.index); |
77 | const root = path.resolve(filesystemPath, config.site.index); |
|
| 74 | fs.stat(root, (error, stats) => { |
78 | fs.stat(root, (error, stats) => { |
|
| 75 | if (error) { |
79 | if (error) { |
|
| 76 | fs.readdir(filesystemPath, (error, paths) => { |
80 | fs.readdir(filesystemPath, (error, paths) => { |
|
| 77 | if (error) { |
81 | if (error) { |
|
| - | 82 | process.nextTick(() => { |
||
| 78 | callback('Could not list directory: ' + |
83 | callback('Could not list directory: ' + |
|
| 79 | filesystemPath, |
84 | filesystemPath, |
|
| 80 | module.exports.error.level.ERROR |
85 | module.exports.error.level.ERROR |
|
| - | 86 | ); |
||
| 81 | ); |
87 | }); |
|
| 82 | response.statusCode = 500; |
88 | response.statusCode = 500; |
|
| 83 | response.end(); |
89 | response.end(); |
|
| 84 | return; |
90 | return; |
|
| 85 | } |
91 | } |
|
| - | 92 | process.nextTick(() => { |
||
| 86 | callback('Directory listing requested for: ' + |
93 | callback('Directory listing requested for: ' + |
|
| 87 | filesystemPath, |
94 | filesystemPath, |
|
| 88 | module.exports.error.level.INFO |
95 | module.exports.error.level.INFO |
|
| - | 96 | ); |
||
| 89 | ); |
97 | }); |
|
| 90 | response.statusCode = 200; |
98 | response.statusCode = 200; |
|
| 91 | response.write(JSON.stringify(paths)); |
99 | response.write(JSON.stringify(paths)); |
|
| 92 | response.end(); |
100 | response.end(); |
|
| 93 | }); |
101 | }); |
|
| Line 94... | Line 102... | |||
| 94 | |
102 | |
|
| 95 | return; |
103 | return; |
|
| Line 96... | Line 104... | |||
| 96 | } |
104 | } |
|
| 97 | |
105 | |
|
| - | 106 | fs.access(filesystemPath, fs.constants.R_OK, (error) => { |
||
| 98 | fs.access(filesystemPath, fs.constants.R_OK, (error) => { |
107 | if (error) { |
|
| 99 | if (error) { |
108 | process.nextTick(() => { |
|
| 100 | callback('The server was unable to access the filesystem path: ' + |
109 | callback('The server was unable to access the filesystem path: ' + |
|
| - | 110 | filesystemPath, |
||
| 101 | filesystemPath, |
111 | module.exports.error.level.WARN |
|
| 102 | module.exports.error.level.WARN |
112 | ); |
|
| 103 | ); |
113 | }); |
|
| 104 | response.statusCode = 403; |
114 | response.statusCode = 403; |
|
| 105 | response.end(); |
115 | response.end(); |
|