node-http-server – Diff between revs 9 and 11
?pathlinks?
Rev 9 | Rev 11 | |||
---|---|---|---|---|
Line 7... | Line 7... | |||
7 | const url = require('url'); |
7 | const url = require('url'); |
|
8 | const path = require('path'); |
8 | const path = require('path'); |
|
9 | const fs = require('fs'); |
9 | const fs = require('fs'); |
|
10 | const mime = require('mime'); |
10 | const mime = require('mime'); |
|
Line 11... | Line 11... | |||
11 | |
11 | |
|
12 | // Check for path traversal. |
12 | // Checks whether userPath is a child of rootPath |
|
13 | function isRooted(userPath, rootPath, separator) { |
13 | function isRooted(userPath, rootPath, separator) { |
|
14 | userPath = userPath.split(separator).filter(Boolean); |
14 | userPath = userPath.split(separator).filter(Boolean); |
|
15 | rootPath = rootPath.split(separator).filter(Boolean); |
15 | rootPath = rootPath.split(separator).filter(Boolean); |
|
16 | return userPath.length >= rootPath.length && |
16 | return userPath.length >= rootPath.length && |
|
Line 23... | Line 23... | |||
23 | INFO: 1, |
23 | INFO: 1, |
|
24 | WARN: 2, |
24 | WARN: 2, |
|
25 | ERROR: 3 |
25 | ERROR: 3 |
|
26 | } |
26 | } |
|
27 | }, |
27 | }, |
|
28 | handleClient: (config, request, response, root, callback) => { |
28 | process: (config, request, response, root, callback) => { |
|
29 | process.nextTick(() => { |
29 | process.nextTick(() => { |
|
30 | const requestAddress = request.socket.address(); |
30 | const requestAddress = request.socket.address(); |
|
31 | const requestedURL = url.parse(request.url, true); |
31 | const requestedURL = url.parse(request.url, true); |
|
Line -... | Line 32... | |||
- | 32 | |
||
32 | |
33 | process.nextTick(() => { |
|
33 | callback('Client: ' + |
34 | callback('Client: ' + |
|
34 | requestAddress.address + ':' + |
35 | requestAddress.address + ':' + |
|
35 | requestAddress.port + |
36 | requestAddress.port + |
|
36 | ' accessing: ' + |
37 | ' accessing: ' + |
|
37 | requestedURL.pathname, |
38 | requestedURL.pathname, |
|
- | 39 | module.exports.error.level.INFO |
||
38 | module.exports.error.level.INFO |
40 | ); |
|
Line 39... | Line 41... | |||
39 | ); |
41 | }); |
|
40 | |
42 | |
|
41 | const trimmedPath = requestedURL |
43 | const trimmedPath = requestedURL |
|
42 | .pathname |
44 | .pathname |
|
Line 46... | Line 48... | |||
46 | const filesystemPath = trimmedPath === '/' ? |
48 | const filesystemPath = trimmedPath === '/' ? |
|
47 | path.join(root, trimmedPath) : |
49 | path.join(root, trimmedPath) : |
|
48 | path.resolve(root, trimmedPath); |
50 | path.resolve(root, trimmedPath); |
|
Line 49... | Line 51... | |||
49 | |
51 | |
|
- | 52 | if (!isRooted(filesystemPath, root, path.sep)) { |
||
50 | if (!isRooted(filesystemPath, root, path.sep)) { |
53 | process.nextTick(() => { |
|
51 | callback('Attempted path traversal: ' + |
54 | callback('Attempted path traversal: ' + |
|
52 | requestAddress.address + ':' + |
55 | requestAddress.address + ':' + |
|
53 | requestAddress.port + |
56 | requestAddress.port + |
|
54 | ' requesting: ' + |
57 | ' requesting: ' + |
|
55 | requestedURL.pathname, |
58 | requestedURL.pathname, |
|
- | 59 | module.exports.error.level.WARN |
||
56 | module.exports.error.level.WARN |
60 | ); |
|
57 | ); |
61 | }); |
|
58 | response.statusCode = 403; |
62 | response.statusCode = 403; |
|
59 | response.end(); |
63 | response.end(); |
|
60 | return; |
64 | return; |
|
Line 73... | Line 77... | |||
73 | const root = path.resolve(filesystemPath, config.site.index); |
77 | const root = path.resolve(filesystemPath, config.site.index); |
|
74 | fs.stat(root, (error, stats) => { |
78 | fs.stat(root, (error, stats) => { |
|
75 | if (error) { |
79 | if (error) { |
|
76 | fs.readdir(filesystemPath, (error, paths) => { |
80 | fs.readdir(filesystemPath, (error, paths) => { |
|
77 | if (error) { |
81 | if (error) { |
|
- | 82 | process.nextTick(() => { |
||
78 | callback('Could not list directory: ' + |
83 | callback('Could not list directory: ' + |
|
79 | filesystemPath, |
84 | filesystemPath, |
|
80 | module.exports.error.level.ERROR |
85 | module.exports.error.level.ERROR |
|
- | 86 | ); |
||
81 | ); |
87 | }); |
|
82 | response.statusCode = 500; |
88 | response.statusCode = 500; |
|
83 | response.end(); |
89 | response.end(); |
|
84 | return; |
90 | return; |
|
85 | } |
91 | } |
|
- | 92 | process.nextTick(() => { |
||
86 | callback('Directory listing requested for: ' + |
93 | callback('Directory listing requested for: ' + |
|
87 | filesystemPath, |
94 | filesystemPath, |
|
88 | module.exports.error.level.INFO |
95 | module.exports.error.level.INFO |
|
- | 96 | ); |
||
89 | ); |
97 | }); |
|
90 | response.statusCode = 200; |
98 | response.statusCode = 200; |
|
91 | response.write(JSON.stringify(paths)); |
99 | response.write(JSON.stringify(paths)); |
|
92 | response.end(); |
100 | response.end(); |
|
93 | }); |
101 | }); |
|
Line 94... | Line 102... | |||
94 | |
102 | |
|
95 | return; |
103 | return; |
|
Line 96... | Line 104... | |||
96 | } |
104 | } |
|
97 | |
105 | |
|
- | 106 | fs.access(filesystemPath, fs.constants.R_OK, (error) => { |
||
98 | fs.access(filesystemPath, fs.constants.R_OK, (error) => { |
107 | if (error) { |
|
99 | if (error) { |
108 | process.nextTick(() => { |
|
100 | callback('The server was unable to access the filesystem path: ' + |
109 | callback('The server was unable to access the filesystem path: ' + |
|
- | 110 | filesystemPath, |
||
101 | filesystemPath, |
111 | module.exports.error.level.WARN |
|
102 | module.exports.error.level.WARN |
112 | ); |
|
103 | ); |
113 | }); |
|
104 | response.statusCode = 403; |
114 | response.statusCode = 403; |
|
105 | response.end(); |
115 | response.end(); |