1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2025-01-11 08:33:43 -05:00

fix: path traversal in std/http/file_server.ts (#8134)

This commit is contained in:
Luca Casonato 2020-10-27 11:48:45 +01:00 committed by GitHub
parent 9fb4931a95
commit 30f3b831d3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 39 additions and 3 deletions

View file

@ -322,14 +322,15 @@ function html(strings: TemplateStringsArray, ...values: unknown[]): string {
}
function normalizeURL(url: string): string {
let normalizedUrl = posix.normalize(url);
let normalizedUrl = url;
try {
normalizedUrl = decodeURIComponent(normalizedUrl);
normalizedUrl = decodeURI(normalizedUrl);
} catch (e) {
if (!(e instanceof URIError)) {
throw e;
}
}
normalizedUrl = posix.normalize(normalizedUrl);
const startOfParams = normalizedUrl.indexOf("?");
return startOfParams > -1
? normalizedUrl.slice(0, startOfParams)

View file

@ -1,5 +1,9 @@
// Copyright 2018-2020 the Deno authors. All rights reserved. MIT license.
import { assert, assertEquals } from "../testing/asserts.ts";
import {
assert,
assertEquals,
assertStringIncludes,
} from "../testing/asserts.ts";
import { BufReader } from "../io/bufio.ts";
import { TextProtoReader } from "../textproto/mod.ts";
import { ServerRequest } from "./server.ts";
@ -147,6 +151,37 @@ Deno.test("serveFallback", async function (): Promise<void> {
}
});
Deno.test("checkPathTraversal", async function (): Promise<void> {
await startFileServer();
try {
const res = await fetch(
"http://localhost:4507/../../../../../../../..",
);
assert(res.headers.has("access-control-allow-origin"));
assert(res.headers.has("access-control-allow-headers"));
assertEquals(res.status, 200);
const listing = await res.text();
assertStringIncludes(listing, "README.md");
} finally {
await killFileServer();
}
});
Deno.test("checkURIEncodedPathTraversal", async function (): Promise<void> {
await startFileServer();
try {
const res = await fetch(
"http://localhost:4507/%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..",
);
assert(res.headers.has("access-control-allow-origin"));
assert(res.headers.has("access-control-allow-headers"));
assertEquals(res.status, 404);
const _ = await res.text();
} finally {
await killFileServer();
}
});
Deno.test("serveWithUnorthodoxFilename", async function (): Promise<void> {
await startFileServer();
try {