fix: file access outside the public dir

NetrisTV · Dec 15, 2021 · e83cf65 · e83cf65
1 parent 994d4c6
commit e83cf65
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/src/server/services/HttpServer.ts b/src/server/services/HttpServer.ts
@@ -45,6 +45,11 @@ export class HttpServer implements Service {
             }
             const parsedUrl = url.parse(req.url);
             let pathname = path.join(publicDir, (parsedUrl.pathname || '.').replace(/^(\.)+/, '.'));
+            if (pathname.indexOf(publicDir) !== 0) {
+                res.statusCode = 403;
+                res.end();
+                return;
+            }
             fs.stat(pathname, (statErr, stat) => {
                 if (statErr) {
                     if (statErr.code === 'ENOENT') {