git ssb

0+

cel / ssb-exec



Commit 464b2ebf04198512fa3e2bc5a3ab92e8e799ab93

Prevent escape base directory

cel committed on 2/17/2019, 4:33:01 PM
Parent: 9314ed556aff05392a2a7b5046429b1467c248bb

Files changed

index.jschanged
index.jsView
@@ -59,9 +59,14 @@
5959 return res.end()
6060 }
6161 try {
6262 req.uri = url.parse(req.url.substr(prefix.length), true)
63- var resolved = require.resolve(path.join(dir, req.uri.pathname))
63 + var file = path.normalize(path.join(dir, req.uri.pathname))
64 + if (dir !== file.substr(0, dir.length)) {
65 + res.writeHead(403)
66 + return res.end('Forbidden')
67 + }
68 + var resolved = require.resolve(file)
6469 var prevMtime = mtimes[resolved]
6570 var mtime = fs.statSync(resolved).mtime.getTime()
6671 if (mtime !== prevMtime) {
6772 delete require.cache[resolved]

Built with git-ssb-web