Fixed directory traversal vulnerability. (#114)

Awesome find!
2019-04-02 18:37:40 -04:00 · 2019-04-02 18:37:40 -04:00 · e7ddcb91fc
commit e7ddcb91fc
parent 3095cff7d9
1 changed files with 17 additions and 9 deletions
--- a/src/backend/routes/main.js
+++ b/src/backend/routes/main.js
@ -3,6 +3,7 @@
 const express = require('express');
 const fs      = require('fs');
 const PACKAGE = require('../../../package.json');
+const path    = require('path')

 const router = express.Router({
    caseSensitive: true,
@ -29,7 +30,9 @@ router.get(/(.*)/, function (req, res, next) {
            version: PACKAGE.version
        });
    } else {
-        fs.readFile('dist' + req.params.page, 'utf8', function (err, data) {
+        var p = path.normalize('dist' + req.params.page)
+        if (p.startsWith('dist')) { // Allow access to ressources under 'dist' directory only.
+            fs.readFile(p, 'utf8', function (err, data) {
                if (err) {
                    res.render('index', {
                        version: PACKAGE.version
@ -38,6 +41,11 @@ router.get(/(.*)/, function (req, res, next) {
                    res.contentType('text/html').end(data);
                }
            });
+        } else {
+            res.render('index', {
+                version: PACKAGE.version
+            });
+        }
    }
 });