Skip to content

Commit

Permalink
chore: fix directory traversal check for win32 (#5623)
Browse files Browse the repository at this point in the history
  • Loading branch information
andredcoliveira authored Aug 13, 2024
1 parent 3855238 commit 0192880
Showing 1 changed file with 7 additions and 4 deletions.
11 changes: 7 additions & 4 deletions static.js
Original file line number Diff line number Diff line change
Expand Up @@ -31,13 +31,16 @@ if (allowSave)

http.createServer(function(req, res) {
var uri = unescape(url.parse(req.url).pathname);

// We don't allow for relative URIs, such as ../../X, to prevent directory traversal in case the server is shared with other actors.
// In windows, `path.normalize` converts `/` in the URI to `\\`, so we enforce POSIX path separators during the check.
// See more at https://cwe.mitre.org/data/definitions/22.html
if (path.normalize(uri) !== uri) {
var posixUri = uri.replaceAll(path.sep, path.posix.sep);
var normalizedPosixUri = path.normalize(uri).replaceAll(path.sep, path.posix.sep);
if (normalizedPosixUri !== posixUri) {
return error(res, 400, "400 Bad request: Directory traversal is not allowed.");
}

var filename = path.join(process.cwd(), uri);

if (req.method == "OPTIONS") {
Expand All @@ -47,7 +50,7 @@ http.createServer(function(req, res) {

if (req.method == "PUT") {
if (!allowSave)
return error(res, 404, "Saving not allowed pass --allow-save to enable");
return error(res, 404, "Saving not allowed (pass --allow-save to enable)");
return save(req, res, filename);
}

Expand Down

0 comments on commit 0192880

Please sign in to comment.