From 5af137f60b38899ea6c82256815ed91e4511d0cc Mon Sep 17 00:00:00 2001
From: Brian Gough <bjg@network-theory.co.uk>
Date: Mon, 20 Mar 2017 10:03:48 +0000
Subject: [PATCH] additional check for valid rootResource

---
 app/coffee/RequestParser.coffee            |  9 ++++++++-
 test/unit/coffee/RequestParserTests.coffee | 18 ++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/app/coffee/RequestParser.coffee b/app/coffee/RequestParser.coffee
index 90bc739..8fc4ecf 100644
--- a/app/coffee/RequestParser.coffee
+++ b/app/coffee/RequestParser.coffee
@@ -44,7 +44,7 @@ module.exports = RequestParser =
 				type: "string"
 			originalRootResourcePath = rootResourcePath
 			sanitizedRootResourcePath = RequestParser._sanitizePath(rootResourcePath)
-			response.rootResourcePath = sanitizedRootResourcePath
+			response.rootResourcePath = RequestParser._checkPath(sanitizedRootResourcePath)
 			
 			for resource in response.resources
 				if resource.path == originalRootResourcePath
@@ -92,3 +92,10 @@ module.exports = RequestParser =
 	_sanitizePath: (path) ->
 		# See http://php.net/manual/en/function.escapeshellcmd.php
 		path.replace(/[\#\&\;\`\|\*\?\~\<\>\^\(\)\[\]\{\}\$\\\x0A\xFF\x00]/g, "")
+
+	_checkPath: (path) ->
+		# check that the request does not use a relative path
+		for dir in path.split('/')
+			if dir == '..'
+				throw "relative path in root resource"
+		return path
diff --git a/test/unit/coffee/RequestParserTests.coffee b/test/unit/coffee/RequestParserTests.coffee
index 4cf6119..1cd931b 100644
--- a/test/unit/coffee/RequestParserTests.coffee
+++ b/test/unit/coffee/RequestParserTests.coffee
@@ -223,4 +223,22 @@ describe "RequestParser", ->
 		it "should also escape the resource path", ->
 			@data.resources[0].path.should.equal @goodPath
 		
+	describe "with a root resource path that has a relative path", ->
+		beforeEach ->
+			@validRequest.compile.rootResourcePath = "foo/../../bar.tex"
+			@RequestParser.parse @validRequest, @callback
+			@data = @callback.args[0][1]
 
+		it "should return an error", ->
+			@callback.calledWith("relative path in root resource")
+				.should.equal true
+
+	describe "with a root resource path that has unescaped + relative path", ->
+		beforeEach ->
+			@validRequest.compile.rootResourcePath = "foo/#../bar.tex"
+			@RequestParser.parse @validRequest, @callback
+			@data = @callback.args[0][1]
+
+		it "should return an error", ->
+			@callback.calledWith("relative path in root resource")
+				.should.equal true