Skip to content

Commit

Permalink
Fix path issue (#76)
Browse files Browse the repository at this point in the history
  • Loading branch information
AndyBitz authored Feb 5, 2019
1 parent e03dc87 commit c212e2d
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -21,14 +21,15 @@ const errorTemplate = require('./error');
const sourceMatches = (source, requestPath, allowSegments) => {
const keys = [];
const slashed = slasher(source);
const resolvedPath = path.resolve(requestPath);

let results = null;

if (allowSegments) {
const normalized = slashed.replace('*', '(.*)');
const expression = pathToRegExp(normalized, keys);

results = expression.exec(requestPath);
results = expression.exec(resolvedPath);

if (!results) {
// clear keys so that they are not used
Expand All @@ -38,7 +39,7 @@ const sourceMatches = (source, requestPath, allowSegments) => {
}
}

if (results || minimatch(requestPath, slashed)) {
if (results || minimatch(resolvedPath, slashed)) {
return {
keys,
results
Expand Down
1 change: 1 addition & 0 deletions test/fixtures/secret
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
secret
13 changes: 13 additions & 0 deletions test/integration.js
Original file line number Diff line number Diff line change
Expand Up @@ -1284,3 +1284,16 @@ test('log error when checking `404.html` failed', async t => {

t.is(text, content);
});

test('prevent access to parent directory', async t => {
const url = await getUrl({
rewrites: [
{source: '/secret', destination: '/404.html'}
]
});

const response = await fetch(`${url}/dir/../secret`);
const text = await response.text();

t.is(text.trim(), '<span>Not Found</span>');
});

0 comments on commit c212e2d

Please sign in to comment.