Craftadoc/clsi
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

provide a static server which forbids symlinks

Browse Source 
prevents mismatch between rootdir of server and rootdir of symlink
checking middleware
This commit is contained in:
Brian Gough
2015-02-27 13:57:57 +00:00
parent 0692e964ef
commit 37cc9f3715
4 changed files with 38 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
app.coffee
View File

@@ -37,24 +37,12 @@ app.delete "/project/:project_id", CompileController.clearCache
app.get "/project/:project_id/sync/code", CompileController.syncFromCode
app.get "/project/:project_id/sync/pdf", CompileController.syncFromPdf
url = require "url"
ForbidSymlinks = require "./app/js/StaticServerForbidSymlinks"
staticForbidSymLinks = (root, options) ->
expressStatic = express.static root, options
basePath = Path.resolve(root)
return (req, res, next) ->
path = url.parse(req.url).pathname
requestedFsPath = Path.normalize("#{basePath}/#{path}")
fs.realpath requestedFsPath, (err, realFsPath)->
if err?
return res.send(500)
else if requestedFsPath != realFsPath
logger.warn requestedFsPath:requestedFsPath, realFsPath:realFsPath, path: req.params[0], project_id: req.params.project_id, "trying to access a different file (symlink), aborting"
return res.send(404)
else
expressStatic(req, res, next)
staticServer = staticForbidSymLinks Settings.path.compilesDir, setHeaders: (res, path, stat) ->
# create a static server which does not allow access to any symlinks
# avoids possible mismatch of root directory between middleware check
# and serving the files
staticServer = ForbidSymlinks express.static, Settings.path.compilesDir, setHeaders: (res, path, stat) ->
if Path.basename(path) == "output.pdf"
res.set("Content-Type", "application/pdf")
# Calculate an etag in the same way as nginx
@@ -68,9 +56,10 @@ staticServer = staticForbidSymLinks Settings.path.compilesDir, setHeaders: (res,
# that could be used in same-origin/XSS attacks.
res.set("Content-Type", "text/plain")
app.get "/project/:project_id/output/*", require("./app/js/SymlinkCheckerMiddlewear"), (req, res, next) ->
app.get "/project/:project_id/output/*", (req, res, next) ->
if req.query?.build? && req.query.build.match(OutputCacheManager.BUILD_REGEX)
req.url = "/#{req.params.project_id}/" + OutputCacheManager.path(req.query.build) + "/#{req.params[0]}"
# for specific build get the path from the OutputCacheManager (e.g. .clsi/buildId)
req.url = "/#{req.params.project_id}/" + OutputCacheManager.path(req.query.build, "/#{req.params[0]}")
else
req.url = "/#{req.params.project_id}/#{req.params[0]}"
staticServer(req, res, next)