Skip to content

Commit

Permalink
Disallow serving absolute paths from directory handler (#160)
Browse files Browse the repository at this point in the history
  • Loading branch information
@devinivy
devinivy authored Aug 30, 2021
1 parent 581ad05 commit 16e04cd
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 2 deletions.
9 changes: 7 additions & 2 deletions lib/directory.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,12 @@ exports.handler = function (route, options) {

// Append parameter

const selection = request.params[paramName];
const selection = request.params[paramName] || '';

if (Path.isAbsolute(selection)) {
throw Boom.notFound(null, {});
}

if (selection &&
!settings.showHidden &&
internals.isFileHidden(selection)) {
Expand Down Expand Up @@ -93,7 +98,7 @@ exports.handler = function (route, options) {

fileOptions.confine = baseDir;

let path = selection || '';
let path = selection;
let error;

try {
Expand Down
26 changes: 26 additions & 0 deletions test/security.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,32 @@ describe('security', () => {
expect(res.statusCode).to.equal(404);
});

it('blocks absolute paths at top level path', async () => {

const server = await provisionServer();
server.route({ method: 'GET', path: '/{path*}', handler: { directory: { path: './' } } });

// Confirm success with relative path
const resRel = await server.inject('/directory.js');
expect(resRel.statusCode).to.equal(200);

const resAbs = await server.inject(`/${require.resolve('./directory.js')}`);
expect(resAbs.statusCode).to.equal(404);
});

it('blocks absolute paths non-top level path', async () => {

const server = await provisionServer();
server.route({ method: 'GET', path: '/directory/{path*}', handler: { directory: { path: './' } } });

// Confirm success with relative path
const resRel = await server.inject('/directory/directory.js');
expect(resRel.statusCode).to.equal(200);

const resAbs = await server.inject(`/directory/${require.resolve('./directory.js')}`);
expect(resAbs.statusCode).to.equal(404);
});

it('blocks access to files outside of base directory for file handler', async () => {

const server = await provisionServer();
Expand Down

0 comments on commit 16e04cd

Please sign in to comment.