From b5d8fc033f14b4fe4871ec2c6c9f522166f89e4b Mon Sep 17 00:00:00 2001 From: Matt Forster Date: Tue, 15 Dec 2020 12:56:32 -0700 Subject: [PATCH] fix(fs): check resolved path against root This should prevent paths from being resolved above the root. Should affect all commands that utilize the FS functions. Fixes #167 --- package-lock.json | 21 ++++++++++++++------- package.json | 1 + src/fs.js | 4 ++-- test/fs.spec.js | 11 +++++++++-- 4 files changed, 26 insertions(+), 11 deletions(-) diff --git a/package-lock.json b/package-lock.json index 5d6abea7..764d4eae 100644 --- a/package-lock.json +++ b/package-lock.json @@ -4125,16 +4125,23 @@ "dev": true, "requires": { "is-path-inside": "^1.0.0" + }, + "dependencies": { + "is-path-inside": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-1.0.1.tgz", + "integrity": "sha1-jvW33lBDej/cprToZe96pVy0gDY=", + "dev": true, + "requires": { + "path-is-inside": "^1.0.1" + } + } } }, "is-path-inside": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-1.0.1.tgz", - "integrity": "sha1-jvW33lBDej/cprToZe96pVy0gDY=", - "dev": true, - "requires": { - "path-is-inside": "^1.0.1" - } + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-3.0.2.tgz", + "integrity": "sha512-/2UGPSgmtqwo1ktx8NDHjuPwZWmHhO+gj0f93EkhLB5RgW9RZevWYYlIkS6zePc6U2WpOdQYIwHe9YC4DWEBVg==" }, "is-plain-obj": { "version": "1.1.0", diff --git a/package.json b/package.json index f3bc8016..f4b9f101 100644 --- a/package.json +++ b/package.json @@ -66,6 +66,7 @@ "bluebird": "^3.5.1", "bunyan": "^1.8.12", "ip": "^1.1.5", + "is-path-inside": "^3.0.2", "lodash": "^4.17.15", "moment": "^2.22.1", "uuid": "^3.2.1", diff --git a/src/fs.js b/src/fs.js index 3226d2e3..9c763fb2 100644 --- a/src/fs.js +++ b/src/fs.js @@ -28,8 +28,8 @@ class FileSystem { })(); const fsPath = (() => { - const resolvedPath = nodePath.join(this.root, clientPath); - return nodePath.resolve(nodePath.normalize(nodePath.join(resolvedPath))); + const fullPath = nodePath.join(this.root, clientPath); + return nodePath.resolve(nodePath.normalize(nodePath.join(fullPath))); })(); return { diff --git a/test/fs.spec.js b/test/fs.spec.js index 3501fe8b..98df38eb 100644 --- a/test/fs.spec.js +++ b/test/fs.spec.js @@ -5,7 +5,7 @@ const Promise = require('bluebird'); const FileSystem = require('../src/fs'); const errors = require('../src/errors'); -describe('FileSystem', function () { +describe.only('FileSystem', function () { let fs; before(function () { @@ -63,7 +63,14 @@ describe('FileSystem', function () { }); it('cannot escape root', function () { - const result = fs._resolvePath('../../../../../../../../../../..'); + // try { + // let res = fs._resolvePath('../../../../../../../../'); + // throw new Error('Escaped'); + // } catch (error) { + // expect(error.message).to.equal('Not a valid directory') + // } + + const result = fs._resolvePath('../../../../../'); expect(result).to.be.an('object'); expect(result.clientPath).to.equal( nodePath.normalize('/'));