Craftadoc/clsi
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

change regex checking file request ensure other files can not be accessed

Browse Source
This commit is contained in:
Henry Oswald
2015-05-12 15:17:18 +01:00
parent 9d3fdcf8b4
commit 94c4187eb2
2 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/coffee/StaticServerForbidSymlinks.coffee
View File

@@ -9,8 +9,8 @@ module.exports = ForbidSymlinks = (staticFn, root, options) ->
basePath = Path.resolve(root) basePath = Path.resolve(root)
return (req, res, next) -> return (req, res, next) ->
path = url.parse(req.url)?.pathname path = url.parse(req.url)?.pathname
# check that the path is of the form /project_id/path/to/file # check that the path is of the form /project_id_or_name/path/to/file.log
if result = path.match(/^\/?(\w+)\/(.*)/) if result = path.match(/^\/?([a-zA-Z0-9_-]+)\/(.*)/)
project_id = result[1] project_id = result[1]
file = result[2] file = result[2]
else else

11
test/unit/coffee/StaticServerForbidSymlinksTests.coffee
View File

@@ -134,6 +134,17 @@ describe "StaticServerForbidSymlinks", ->
done() done()
@StaticServerForbidSymlinks @req, @res @StaticServerForbidSymlinks @req, @res
describe "with a github style path", ->
beforeEach ->
@req.url = "/henryoswald-latex_example/output/output.log"
@fs.realpath = sinon.stub().callsArgWith(1, null, "#{@settings.path.compilesDir}/henryoswald-latex_example/output/output.log")
it "should call next", (done)->
@res.sendStatus = (resCode)->
resCode.should.equal 200
done()
@StaticServerForbidSymlinks @req, @res, done
describe "with an error from fs.realpath", -> describe "with an error from fs.realpath", ->
beforeEach -> beforeEach ->