fix(fs): check resolved path against root

This should prevent paths from being resolved above the root. Should affect all commands that utilize the FS functions. Fixes #167
QuorumDMS · Dec 15, 2020 · b5d8fc0 · b5d8fc0
1 parent 722da60
commit b5d8fc0
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 11 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -66,6 +66,7 @@
     "bluebird": "^3.5.1",
     "bunyan": "^1.8.12",
     "ip": "^1.1.5",
+    "is-path-inside": "^3.0.2",
     "lodash": "^4.17.15",
     "moment": "^2.22.1",
     "uuid": "^3.2.1",

diff --git a/src/fs.js b/src/fs.js
@@ -28,8 +28,8 @@ class FileSystem {
     })();
 
     const fsPath = (() => {
-      const resolvedPath = nodePath.join(this.root, clientPath);
-      return nodePath.resolve(nodePath.normalize(nodePath.join(resolvedPath)));
+      const fullPath = nodePath.join(this.root, clientPath);
+      return nodePath.resolve(nodePath.normalize(nodePath.join(fullPath)));
     })();
 
     return {

diff --git a/test/fs.spec.js b/test/fs.spec.js
@@ -5,7 +5,7 @@ const Promise = require('bluebird');
 const FileSystem = require('../src/fs');
 const errors = require('../src/errors');
 
-describe('FileSystem', function () {
+describe.only('FileSystem', function () {
   let fs;
 
   before(function () {
@@ -63,7 +63,14 @@ describe('FileSystem', function () {
     });
 
     it('cannot escape root', function () {
-      const result = fs._resolvePath('../../../../../../../../../../..');
+      // try {
+      //   let res = fs._resolvePath('../../../../../../../../');
+      //   throw new Error('Escaped');
+      // } catch (error) {
+      //   expect(error.message).to.equal('Not a valid directory')
+      // }
+
+      const result = fs._resolvePath('../../../../../');
       expect(result).to.be.an('object');
       expect(result.clientPath).to.equal(
         nodePath.normalize('/'));