Thrift-4647: Node.js Filesever webroot fixed path

Updates the node.js fileserver to have a fixed based webroot which can not be escaped by end users.
author: jfarrell <jfarrell@apache.org> 2018-10-04 23:00:28 -0400
committer: James E. King III <jking@apache.org> 2018-10-11 10:19:50 -0400
commit: 2a2b72f6c8aef200ecee4984f011e06052288ff2 (patch)
tree: f5f9f716e85fd2f2e1a183ec7f21000c46ce4356 /lib/nodejs
parent: d566da7739c9aae63fe7fc9d267887fa73e5dda7 (diff)
download: thrift-2a2b72f6c8aef200ecee4984f011e06052288ff2.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/nodejs/lib/thrift/web_server.js b/lib/nodejs/lib/thrift/web_server.js
index 0093c8a08..a33f47aed 100644
--- a/lib/nodejs/lib/thrift/web_server.js
+++ b/lib/nodejs/lib/thrift/web_server.js
@@ -415,7 +415,15 @@ exports.createWebServer = function(options) {
 
     //Locate the file requested and send it
     var uri = url.parse(request.url).pathname;
-    var filename = path.join(baseDir, uri);
+    var filename = path.resolve(path.join(baseDir, uri));
+
+    //Ensure the basedir path is not able to be escaped
+    if (filename.indexOf(baseDir) != 0) {
+      response.writeHead(400, "Invalid request path", {});
+      response.end();
+      return;
+    }
+
     fs.exists(filename, function(exists) {
       if(!exists) {
         response.writeHead(404);
author	jfarrell <jfarrell@apache.org>	2018-10-04 23:00:28 -0400
committer	James E. King III <jking@apache.org>	2018-10-11 10:19:50 -0400
commit	2a2b72f6c8aef200ecee4984f011e06052288ff2 (patch)
tree	f5f9f716e85fd2f2e1a183ec7f21000c46ce4356 /lib/nodejs
parent	d566da7739c9aae63fe7fc9d267887fa73e5dda7 (diff)
download	thrift-2a2b72f6c8aef200ecee4984f011e06052288ff2.tar.gz