diff options
author | jfarrell <jfarrell@apache.org> | 2018-10-04 23:00:28 -0400 |
---|---|---|
committer | James E. King III <jking@apache.org> | 2018-10-11 10:19:50 -0400 |
commit | 2a2b72f6c8aef200ecee4984f011e06052288ff2 (patch) | |
tree | f5f9f716e85fd2f2e1a183ec7f21000c46ce4356 /lib/nodejs | |
parent | d566da7739c9aae63fe7fc9d267887fa73e5dda7 (diff) | |
download | thrift-2a2b72f6c8aef200ecee4984f011e06052288ff2.tar.gz |
Thrift-4647: Node.js Filesever webroot fixed path
Updates the node.js fileserver to have a fixed based webroot which can
not be escaped by end users.
Diffstat (limited to 'lib/nodejs')
-rw-r--r-- | lib/nodejs/lib/thrift/web_server.js | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/nodejs/lib/thrift/web_server.js b/lib/nodejs/lib/thrift/web_server.js index 0093c8a08..a33f47aed 100644 --- a/lib/nodejs/lib/thrift/web_server.js +++ b/lib/nodejs/lib/thrift/web_server.js @@ -415,7 +415,15 @@ exports.createWebServer = function(options) { //Locate the file requested and send it var uri = url.parse(request.url).pathname; - var filename = path.join(baseDir, uri); + var filename = path.resolve(path.join(baseDir, uri)); + + //Ensure the basedir path is not able to be escaped + if (filename.indexOf(baseDir) != 0) { + response.writeHead(400, "Invalid request path", {}); + response.end(); + return; + } + fs.exists(filename, function(exists) { if(!exists) { response.writeHead(404); |