From 08931fcef7e67b3f6aac7b207eafa31d3754f1ef Mon Sep 17 00:00:00 2001 From: Gil Pedersen Date: Wed, 3 Dec 2014 13:14:44 +0100 Subject: [PATCH] Don't allow files in hidden directories to be served --- lib/directory.js | 2 +- package.json | 2 +- test/directory.js | 52 +++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 52 insertions(+), 4 deletions(-) diff --git a/lib/directory.js b/lib/directory.js index 8880676..e15c78c 100755 --- a/lib/directory.js +++ b/lib/directory.js @@ -229,7 +229,7 @@ internals.generateListing = function (path, resource, selection, hasTrailingSlas internals.isFileHidden = function (path) { - return /^\./.test(Path.basename(path)); + return /(^|[\\\/])\.([^\\\/]|[\\\/]?$)/.test(path); // Starts with a '.' or contains '/.' or '\.', and not followed by a '/' or '\' or end }; diff --git a/package.json b/package.json index e03a559..7c375ed 100755 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "inert", "description": "Static file and directory handlers for hapi.js", - "version": "1.1.0", + "version": "1.1.1", "repository": "git://github.com/hapijs/inert", "main": "index", "keywords": [ diff --git a/test/directory.js b/test/directory.js index 5b435e1..3cc3f58 100755 --- a/test/directory.js +++ b/test/directory.js @@ -274,7 +274,7 @@ describe('handler()', function () { }); }); - it('returns the index when found in hidden folder', function (done) { + it('returns the index when served from a hidden folder', function (done) { var server = provisionServer({ files: { relativeTo: __dirname } }); server.route({ method: 'GET', path: '/{path*}', handler: { directoryTest: { path: './directory/.dot' } } }); @@ -293,7 +293,7 @@ describe('handler()', function () { }); }); - it('returns listing when found in hidden folder', function (done) { + it('returns listing when served from a hidden folder', function (done) { var server = provisionServer({ files: { relativeTo: __dirname } }); server.route({ method: 'GET', path: '/{path*}', handler: { directoryTest: { path: './directory/.dot', index: false, listing: true } } }); @@ -373,6 +373,35 @@ describe('handler()', function () { }); }); + it('returns a 404 response when requesting a file in a hidden directory when showHidden is disabled', function (done) { + + var server = provisionServer({ files: { relativeTo: __dirname } }); + server.route({ method: 'GET', path: '/noshowhidden/{path*}', handler: { directoryTest: { path: './directory', listing: true } } }); + + server.inject('/noshowhidden/.dot/index.html', function (res) { + + expect(res.statusCode).to.equal(404); + + server.inject('/noshowhidden/.dot/', function (res) { + + expect(res.statusCode).to.equal(404); + done(); + }); + }); + }); + + it('returns a 404 response when requesting a hidden directory listing when showHidden is disabled', function (done) { + + var server = provisionServer({ files: { relativeTo: __dirname } }); + server.route({ method: 'GET', path: '/noshowhidden/{path*}', handler: { directoryTest: { path: './directory', listing: true, index: false } } }); + + server.inject('/noshowhidden/.dot/', function (res) { + + expect(res.statusCode).to.equal(404); + done(); + }); + }); + it('returns a file when requesting a hidden file when showHidden is enabled', function (done) { var server = provisionServer({ files: { relativeTo: __dirname } }); @@ -385,6 +414,25 @@ describe('handler()', function () { }); }); + it('returns a a file when requesting a file in a hidden directory when showHidden is enabled', function (done) { + + var server = provisionServer({ files: { relativeTo: __dirname } }); + server.route({ method: 'GET', path: '/noshowhidden/{path*}', handler: { directoryTest: { path: './directory', showHidden: true, listing: true } } }); + + server.inject('/noshowhidden/.dot/index.html', function (res) { + + expect(res.statusCode).to.equal(200); + expect(res.payload).to.contain('test'); + + server.inject('/noshowhidden/.dot/', function (res) { + + expect(res.statusCode).to.equal(200); + expect(res.payload).to.contain('test'); + done(); + }); + }); + }); + it('redirects to the same path with / appended if asking for a directory', function (done) { var server = provisionServer({ files: { relativeTo: __dirname } });