@jnode/server 2.2.1 → 2.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -1
- package/package.json +1 -1
- package/src/handlers.js +1 -0
package/README.md
CHANGED
|
@@ -401,7 +401,9 @@ Serves a single file with support for HTTP Range requests, caching headers, and
|
|
|
401
401
|
### Handler: `FolderHandler(folder[, options])`
|
|
402
402
|
|
|
403
403
|
- `folder` [\<string\>](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#string_type) Path to the folder to serve files from.
|
|
404
|
-
- `options` [\<Object\>](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object)
|
|
404
|
+
- `options` [\<Object\>](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object)
|
|
405
|
+
- `allowHiddenFile` [\<boolean\>](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#boolean_type) Allows access to hidden directories and files (whose names begin with `.`).
|
|
406
|
+
- Same as [`FileHandler` options](#handler-filehandlerfile-options).
|
|
405
407
|
|
|
406
408
|
Serves files from a folder based on remaining path segments. Automatically resolves paths and prevents directory traversal attacks. Internally uses `FileHandler`.
|
|
407
409
|
|
package/package.json
CHANGED
package/src/handlers.js
CHANGED
|
@@ -183,6 +183,7 @@ class FolderHandler {
|
|
|
183
183
|
const file = path.resolve(this.folder, ...env.path.slice(env.pathPointer));
|
|
184
184
|
|
|
185
185
|
// safety check
|
|
186
|
+
if (file.includes(path.sep + '.') && !this.options.allowHiddenFile) throw 404;
|
|
186
187
|
const rel = path.relative(this.folder, file);
|
|
187
188
|
if (rel.startsWith('..') || path.isAbsolute(rel)) throw 404;
|
|
188
189
|
|