From 54356a41474cccb0e2e2a7fc4b646812acadb7ec Mon Sep 17 00:00:00 2001 From: jfarrell Date: Thu, 4 Oct 2018 23:00:28 -0400 Subject: [PATCH] Thrift-4647: Node.js Filesever webroot fixed path Updates the node.js fileserver to have a fixed based webroot which can not be escaped by end users. --- lib/js/test/server_http.js | 2 +- lib/js/test/server_https.js | 2 +- lib/nodejs/lib/thrift/web_server.js | 10 +++++++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/lib/js/test/server_http.js b/lib/js/test/server_http.js index e195e80..c516409 100644 --- a/lib/js/test/server_http.js +++ b/lib/js/test/server_http.js @@ -36,7 +36,7 @@ var ThriftTestSvcOpt = { }; var ThriftWebServerOptions = { - files: ".", + files: __dirname, services: { "/service": ThriftTestSvcOpt } diff --git a/lib/js/test/server_https.js b/lib/js/test/server_https.js index af1745b..9499b09 100644 --- a/lib/js/test/server_https.js +++ b/lib/js/test/server_https.js @@ -40,7 +40,7 @@ var ThriftTestSvcOpt = { }; var ThriftWebServerOptions = { - files: ".", + files: __dirname, tls: { key: fs.readFileSync("../../../test/keys/server.key"), cert: fs.readFileSync("../../../test/keys/server.crt") diff --git a/lib/nodejs/lib/thrift/web_server.js b/lib/nodejs/lib/thrift/web_server.js index 37159ea..47e8a9f 100644 --- a/lib/nodejs/lib/thrift/web_server.js +++ b/lib/nodejs/lib/thrift/web_server.js @@ -414,7 +414,15 @@ exports.createWebServer = function(options) { //Locate the file requested and send it var uri = url.parse(request.url).pathname; - var filename = path.join(baseDir, uri); + var filename = path.resolve(path.join(baseDir, uri)); + + //Ensure the basedir path is not able to be escaped + if (filename.indexOf(baseDir) != 0) { + response.writeHead(400, "Invalid request path", {}); + response.end(); + return; + } + fs.exists(filename, function(exists) { if(!exists) { response.writeHead(404); -- 2.23.0