From 94c4187eb2ce68fe6768f83f51fb144225540035 Mon Sep 17 00:00:00 2001 From: Henry Oswald Date: Tue, 12 May 2015 15:17:18 +0100 Subject: [PATCH] change regex checking file request ensure other files can not be accessed --- app/coffee/StaticServerForbidSymlinks.coffee | 4 ++-- .../coffee/StaticServerForbidSymlinksTests.coffee | 11 +++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/app/coffee/StaticServerForbidSymlinks.coffee b/app/coffee/StaticServerForbidSymlinks.coffee index 348ecca..83ca4ca 100644 --- a/app/coffee/StaticServerForbidSymlinks.coffee +++ b/app/coffee/StaticServerForbidSymlinks.coffee @@ -9,8 +9,8 @@ module.exports = ForbidSymlinks = (staticFn, root, options) -> basePath = Path.resolve(root) return (req, res, next) -> path = url.parse(req.url)?.pathname - # check that the path is of the form /project_id/path/to/file - if result = path.match(/^\/?(\w+)\/(.*)/) + # check that the path is of the form /project_id_or_name/path/to/file.log + if result = path.match(/^\/?([a-zA-Z0-9_-]+)\/(.*)/) project_id = result[1] file = result[2] else diff --git a/test/unit/coffee/StaticServerForbidSymlinksTests.coffee b/test/unit/coffee/StaticServerForbidSymlinksTests.coffee index e6b7f5f..4a87d64 100644 --- a/test/unit/coffee/StaticServerForbidSymlinksTests.coffee +++ b/test/unit/coffee/StaticServerForbidSymlinksTests.coffee @@ -134,6 +134,17 @@ describe "StaticServerForbidSymlinks", -> done() @StaticServerForbidSymlinks @req, @res + describe "with a github style path", -> + beforeEach -> + @req.url = "/henryoswald-latex_example/output/output.log" + @fs.realpath = sinon.stub().callsArgWith(1, null, "#{@settings.path.compilesDir}/henryoswald-latex_example/output/output.log") + + it "should call next", (done)-> + @res.sendStatus = (resCode)-> + resCode.should.equal 200 + done() + @StaticServerForbidSymlinks @req, @res, done + describe "with an error from fs.realpath", -> beforeEach ->