npm - crypto-swap - Versions diffs - 1.2.0 → 1.2.1 - Mend

crypto-swap 1.2.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/swap.js +10 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "crypto-swap",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "LightningEX Cryptocurrency Swap CLI",
   "main": "swap.js",
   "bin": {

package/swap.js CHANGED Viewed

@@ -822,6 +822,16 @@ async function cmdUI(args) {
     // Remove query string from URL
     const urlPath = req.url.split('?')[0];
     let filePath = path.join(uiDir, urlPath === '/' ? 'index.html' : urlPath);
+    // Prevent path traversal: ensure filePath is within uiDir
+    const resolvedPath = path.resolve(filePath);
+    const resolvedUiDir = path.resolve(uiDir);
+    if (!resolvedPath.startsWith(resolvedUiDir)) {
+      res.writeHead(403);
+      res.end('Forbidden');
+      return;
+    }
     const ext = path.extname(filePath);
     const contentType = {
       '.html': 'text/html',