foster/denoland-deno
0
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2025-02-02 04:38:21 -05:00
Code Issues Packages 1 Wiki Activity

fix: path traversal in std/http/file_server.ts (#8134)

Browse source
This commit is contained in:
Luca Casonato 2020-10-27 11:48:45 +01:00 committed by GitHub
parent 9fb4931a95
commit 30f3b831d3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 39 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
std/http/file_server.ts
View file

@ -322,14 +322,15 @@ function html(strings: TemplateStringsArray, ...values: unknown[]): string {
} }
function normalizeURL(url: string): string { function normalizeURL(url: string): string {
let normalizedUrl = posix.normalize(url); let normalizedUrl = url;
try { try {
normalizedUrl = decodeURIComponent(normalizedUrl); normalizedUrl = decodeURI(normalizedUrl);
} catch (e) { } catch (e) {
if (!(e instanceof URIError)) { if (!(e instanceof URIError)) {
throw e; throw e;
} }
} }
normalizedUrl = posix.normalize(normalizedUrl);
const startOfParams = normalizedUrl.indexOf("?"); const startOfParams = normalizedUrl.indexOf("?");
return startOfParams > -1 return startOfParams > -1
? normalizedUrl.slice(0, startOfParams) ? normalizedUrl.slice(0, startOfParams)

37
std/http/file_server_test.ts
View file

@ -1,5 +1,9 @@
// Copyright 2018-2020 the Deno authors. All rights reserved. MIT license. // Copyright 2018-2020 the Deno authors. All rights reserved. MIT license.
import { assert, assertEquals } from "../testing/asserts.ts"; import {
assert,
assertEquals,
assertStringIncludes,
} from "../testing/asserts.ts";
import { BufReader } from "../io/bufio.ts"; import { BufReader } from "../io/bufio.ts";
import { TextProtoReader } from "../textproto/mod.ts"; import { TextProtoReader } from "../textproto/mod.ts";
import { ServerRequest } from "./server.ts"; import { ServerRequest } from "./server.ts";
@ -147,6 +151,37 @@ Deno.test("serveFallback", async function (): Promise<void> {
} }
}); });
Deno.test("checkPathTraversal", async function (): Promise<void> {
await startFileServer();
try {
const res = await fetch(
"http://localhost:4507/../../../../../../../..",
);
assert(res.headers.has("access-control-allow-origin"));
assert(res.headers.has("access-control-allow-headers"));
assertEquals(res.status, 200);
const listing = await res.text();
assertStringIncludes(listing, "README.md");
} finally {
await killFileServer();
}
});
Deno.test("checkURIEncodedPathTraversal", async function (): Promise<void> {
await startFileServer();
try {
const res = await fetch(
"http://localhost:4507/%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..",
);
assert(res.headers.has("access-control-allow-origin"));
assert(res.headers.has("access-control-allow-headers"));
assertEquals(res.status, 404);
const _ = await res.text();
} finally {
await killFileServer();
}
});
Deno.test("serveWithUnorthodoxFilename", async function (): Promise<void> { Deno.test("serveWithUnorthodoxFilename", async function (): Promise<void> {
await startFileServer(); await startFileServer();
try { try {