Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

fix(request): handle "double dots" in URL #124

Merged
merged 1 commit into from
Jan 21, 2024
Merged

Conversation

yusukebe
Copy link
Member

Fixes #123

Since v1.3.0, we use our own Request object. This is great, but the url behavior is unexpected.

In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request will be in the resolved path.

const req = new Request('http://localhost/static/../foo.txt') // Web-standards
console.log(req.url) // /http://localhost/foo.txt

However, our url as implemented below does not resolve double dots, so http://localhost/static/.. /foo.txt is returned.

get url() {
return `http://${this[incomingKey].headers.host}${this[incomingKey].url}`
},

This causes vulnerabilities like #123 when using serveStatic.

So this must be fixed immediately. This PR solves that. The path will be checked on every request, which may have a performance impact but must be allowed for.

@yusukebe yusukebe merged commit dd9b9a9 into main Jan 21, 2024
3 checks passed
@yusukebe yusukebe deleted the fix/request-double-dots branch January 21, 2024 07:54
@yusukebe
Copy link
Member Author

Hi @usualoma !

I wanted to have this PR reviewed, but since it should be released soon, I am merging it. I think the behavior is fine, and if you can improve the performance, I would like you to create another PR.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Security vulnerability with serveStatic
1 participant