mirror of
https://github.com/denoland/deno.git
synced 2025-01-11 08:33:43 -05:00
fix: path traversal in std/http/file_server.ts (#8134)
This commit is contained in:
parent
9fb4931a95
commit
30f3b831d3
2 changed files with 39 additions and 3 deletions
|
@ -322,14 +322,15 @@ function html(strings: TemplateStringsArray, ...values: unknown[]): string {
|
|||
}
|
||||
|
||||
function normalizeURL(url: string): string {
|
||||
let normalizedUrl = posix.normalize(url);
|
||||
let normalizedUrl = url;
|
||||
try {
|
||||
normalizedUrl = decodeURIComponent(normalizedUrl);
|
||||
normalizedUrl = decodeURI(normalizedUrl);
|
||||
} catch (e) {
|
||||
if (!(e instanceof URIError)) {
|
||||
throw e;
|
||||
}
|
||||
}
|
||||
normalizedUrl = posix.normalize(normalizedUrl);
|
||||
const startOfParams = normalizedUrl.indexOf("?");
|
||||
return startOfParams > -1
|
||||
? normalizedUrl.slice(0, startOfParams)
|
||||
|
|
|
@ -1,5 +1,9 @@
|
|||
// Copyright 2018-2020 the Deno authors. All rights reserved. MIT license.
|
||||
import { assert, assertEquals } from "../testing/asserts.ts";
|
||||
import {
|
||||
assert,
|
||||
assertEquals,
|
||||
assertStringIncludes,
|
||||
} from "../testing/asserts.ts";
|
||||
import { BufReader } from "../io/bufio.ts";
|
||||
import { TextProtoReader } from "../textproto/mod.ts";
|
||||
import { ServerRequest } from "./server.ts";
|
||||
|
@ -147,6 +151,37 @@ Deno.test("serveFallback", async function (): Promise<void> {
|
|||
}
|
||||
});
|
||||
|
||||
Deno.test("checkPathTraversal", async function (): Promise<void> {
|
||||
await startFileServer();
|
||||
try {
|
||||
const res = await fetch(
|
||||
"http://localhost:4507/../../../../../../../..",
|
||||
);
|
||||
assert(res.headers.has("access-control-allow-origin"));
|
||||
assert(res.headers.has("access-control-allow-headers"));
|
||||
assertEquals(res.status, 200);
|
||||
const listing = await res.text();
|
||||
assertStringIncludes(listing, "README.md");
|
||||
} finally {
|
||||
await killFileServer();
|
||||
}
|
||||
});
|
||||
|
||||
Deno.test("checkURIEncodedPathTraversal", async function (): Promise<void> {
|
||||
await startFileServer();
|
||||
try {
|
||||
const res = await fetch(
|
||||
"http://localhost:4507/%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..",
|
||||
);
|
||||
assert(res.headers.has("access-control-allow-origin"));
|
||||
assert(res.headers.has("access-control-allow-headers"));
|
||||
assertEquals(res.status, 404);
|
||||
const _ = await res.text();
|
||||
} finally {
|
||||
await killFileServer();
|
||||
}
|
||||
});
|
||||
|
||||
Deno.test("serveWithUnorthodoxFilename", async function (): Promise<void> {
|
||||
await startFileServer();
|
||||
try {
|
||||
|
|
Loading…
Reference in a new issue