Merge pull request #699 from phanect/v13-security

Prevent directory traversal for static file
geddy · Jul 27, 2015 · 2de63b6 · 2de63b6
2 parents 75a7a9f + c0e2ab9
commit 2de63b6
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,6 +1,8 @@
 language: node_js
 node_js:
+  - "0.12"
   - "0.10"
+  - "iojs"
 
 before_install:
   - npm update -g npm

diff --git a/lib/app/index.js b/lib/app/index.js
@@ -176,7 +176,14 @@ var App = function () {
 
 
     // Get the path to the file, decoding the request URI
-    staticPath = this.config.staticFilePath + decodeURIComponent(reqUrl);
+    staticPath = path.resolve(path.join(this.config.staticFilePath, decodeURIComponent(reqUrl)));
+
+    // Prevent directory traversal
+    if (staticPath.indexOf(this.config.staticFilePath) !== 0) {
+      this.handleNotFound(reqUrl, params, reqObj, respObj);
+      return;
+    }
+
     // Ignore querystring
     staticPath = staticPath.split('?')[0];
 

diff --git a/package.json b/package.json
@@ -8,7 +8,7 @@
     "MVC",
     "realtime"
   ],
-  "version": "13.0.7",
+  "version": "13.0.8",
   "author": "Matthew Eernisse <mde@fleegix.org> (http://fleegix.org)",
   "dependencies": {
     "barista": "0.2.x",
@@ -43,4 +43,4 @@
   "engines": {
     "node": "*"
   }
-}
+}