From 5b2031b84feb4d02a21a14b61337b68bec8f4869 Mon Sep 17 00:00:00 2001
From: James Allen <james@sharelatex.com>
Date: Thu, 4 Dec 2014 22:07:37 +0000
Subject: [PATCH] Check file is not a symlink before returning it

---
 app.coffee | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/app.coffee b/app.coffee
index 0d9904d..fe9ad53 100644
--- a/app.coffee
+++ b/app.coffee
@@ -5,6 +5,7 @@ logger.initialize("clsi")
 smokeTest = require "smoke-test-sharelatex"
 
 Path = require "path"
+fs = require "fs"
 
 Metrics = require "metrics-sharelatex"
 Metrics.initialize("clsi")
@@ -49,9 +50,26 @@ staticServer = express.static Settings.path.compilesDir, setHeaders: (res, path,
 		# that could be used in same-origin/XSS attacks.
 		res.set("Content-Type", "text/plain")
 
+
+
 app.get "/project/:project_id/output/*", (req, res, next) ->
-	req.url = "/#{req.params.project_id}/#{req.params[0]}"
-	staticServer(req, res, next)
+	basePath = Path.resolve("#{Settings.path.compilesDir}/#{req.params.project_id}")
+	path = Path.normalize("#{basePath}/#{req.params[0]}")
+	if path.slice(0, basePath.length) != basePath
+		logger.warn path: req.params[0], project_id: req.params.project_id, "trying to leave project directory, aborting"
+		res.send(404)
+		return
+	fs.lstat path, (error, stats) ->
+		if error?
+			if error.code == "ENOENT"
+				error.statusCode = 404
+			return next(error)
+		if stats.isSymbolicLink()
+			error = new Error("file is a symlink")
+			error.statusCode = 404
+			return next(error)
+		req.url = "/#{req.params.project_id}/#{req.params[0]}"
+		staticServer(req, res, next)
 
 app.get "/status", (req, res, next) ->
 	res.send "CLSI is alive\n"