fix an issue in the path handling that allowed directory traversal

pull/2594/head
Tom Hunkapiller 2015-04-10 19:25:52 -05:00 committed by John McLear
parent b95395a130
commit 5409eb314c
1 changed files with 6 additions and 2 deletions

View File

@ -23,6 +23,7 @@ exports.expressCreateServer = function (hook_name, args, cb) {
});
var rootTestFolder = path.join(npm.root, "..", "/tests/frontend/");
var url2FilePath = function(url){
var subPath = url.substr("/tests/frontend".length);
if (subPath == ""){
@ -30,8 +31,11 @@ exports.expressCreateServer = function (hook_name, args, cb) {
}
subPath = subPath.split("?")[0];
var filePath = path.normalize(npm.root + "/../tests/frontend/")
filePath += subPath.replace("..", "");
var filePath = path.normalize(path.join(rootTestFolder, subPath));
// make sure we jail the paths to the test folder, otherwise serve index
if (filePath.indexOf(rootTestFolder) !== 0) {
filePath = path.normalize(path.join(rootTestFolder, "index.html"));
}
return filePath;
}