npm - javascript-solid-server - Versions diffs - 0.0.166 → 0.0.168 - Mend

javascript-solid-server 0.0.166 → 0.0.168

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/.claude/settings.local.json +2 -1
package/package.json +1 -1
package/src/auth/middleware.js +1 -1
package/src/utils/url.js +7 -4
package/test/url.test.js +56 -2

package/.claude/settings.local.json CHANGED Viewed

@@ -378,7 +378,8 @@
       "Bash(terser losos/html.js -m -c)",
       "Bash(terser losos/store.js -m -c)",
       "Bash(terser losos/registry.js -m -c)",
-      "Bash(terser losos/losos.js -m -c)"
+      "Bash(terser losos/losos.js -m -c)",
+      "Bash(DATA_ROOT=/tmp/whatever node --test test/url.test.js)"
     ]
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.166",
+  "version": "0.0.168",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js CHANGED Viewed

@@ -362,7 +362,7 @@ function getErrorPage(statusCode, isAuthenticated, request) {
       <p class="subtitle">${subtitle}</p>
       <div class="actions">
-        ${is401 ? `<a href="https://solidos.solidcommunity.net/?uri=${encodeURIComponent(baseUrl + request.url)}" class="btn btn-primary">
+        ${is401 ? `<a href="https://solidos.org/docs/browser/?uri=${encodeURIComponent(baseUrl + request.url)}" class="btn btn-primary">
           Open in Data Browser
         </a>` : ''}
         <a href="${baseUrl}/" class="btn btn-secondary">

package/src/utils/url.js CHANGED Viewed

@@ -22,8 +22,11 @@ export function updateDataRoot() {
  * @throws {Error} - If path traversal is detected
  */
 export function urlToPath(urlPath) {
-  // Normalize: remove leading slash, decode URI
-  let normalized = urlPath.startsWith('/') ? urlPath.slice(1) : urlPath;
+  // Normalize: strip all leading slashes (#131 — `//foo` from bot probes
+  // would otherwise leave `/foo`, and path.resolve(root, '/foo') would
+  // treat the second arg as absolute, escape dataRoot, and trip the
+  // traversal guard with a 500 instead of resolving cleanly to a 404).
+  let normalized = urlPath.replace(/^\/+/, '');
   normalized = decodeURIComponent(normalized);
   // Security: remove path traversal attempts (multiple passes for ....// bypass)
@@ -54,8 +57,8 @@ export function urlToPath(urlPath) {
  * @throws {Error} - If path traversal is detected
  */
 export function urlToPathWithPod(urlPath, podName) {
-  // Normalize: remove leading slash, decode URI
-  let normalized = urlPath.startsWith('/') ? urlPath.slice(1) : urlPath;
+  // Normalize: strip all leading slashes (#131 — see urlToPath for context).
+  let normalized = urlPath.replace(/^\/+/, '');
   normalized = decodeURIComponent(normalized);
   // Security: remove path traversal attempts (multiple passes for ....// bypass)

package/test/url.test.js CHANGED Viewed

@@ -5,9 +5,10 @@
  * Regression guard for #278 (single-user root-pod PUT → ENOTDIR).
  */
-import { describe, it } from 'node:test';
+import { describe, it, before, after } from 'node:test';
 import assert from 'node:assert';
-import { getPodName, getContentType } from '../src/utils/url.js';
+import path from 'path';
+import { getPodName, getContentType, urlToPath, urlToPathWithPod } from '../src/utils/url.js';
 describe('getPodName', () => {
   describe('subdomain mode', () => {
@@ -126,3 +127,56 @@ describe('getContentType', () => {
     });
   });
 });
+describe('urlToPath / urlToPathWithPod (#131 — leading-slash normalization)', () => {
+  // Bot probes hammer JSS with `//foo`, `///wp-admin/...`, etc. Without
+  // multi-slash stripping these used to escape dataRoot via path.resolve
+  // (which treats `/foo` as absolute) and 500 with "Path traversal detected"
+  // instead of the expected 404.
+  // Save/restore DATA_ROOT — other test suites mutate process.env.DATA_ROOT
+  // (via createServer's root option) and don't always restore it. Pinning
+  // to './data' keeps the assertions stable across run order.
+  let originalDataRoot;
+  before(() => {
+    originalDataRoot = process.env.DATA_ROOT;
+    delete process.env.DATA_ROOT;  // forces getDataRoot() default of './data'
+  });
+  after(() => {
+    if (originalDataRoot === undefined) delete process.env.DATA_ROOT;
+    else process.env.DATA_ROOT = originalDataRoot;
+  });
+  const dataRoot = path.resolve('./data');
+  describe('urlToPath', () => {
+    it('resolves a normal path inside dataRoot', () => {
+      assert.strictEqual(urlToPath('/alice/profile/card'), path.join(dataRoot, 'alice/profile/card'));
+    });
+    it('handles double leading slash without throwing (#131)', () => {
+      assert.strictEqual(urlToPath('//about.php'), path.join(dataRoot, 'about.php'));
+    });
+    it('handles many leading slashes (#131)', () => {
+      assert.strictEqual(urlToPath('////wp-admin/index.php'), path.join(dataRoot, 'wp-admin/index.php'));
+    });
+    it('still rejects real `..` traversal that escapes after normalization', () => {
+      // Security must be preserved: `/../etc/passwd` → strip leading slash →
+      // `../etc/passwd` → strip `..` → `/etc/passwd` (absolute residue) →
+      // path.resolve escapes dataRoot → guard fires.
+      assert.throws(() => urlToPath('/../etc/passwd'), /Path traversal/);
+    });
+  });
+  describe('urlToPathWithPod', () => {
+    it('resolves into the pod dir', () => {
+      assert.strictEqual(urlToPathWithPod('/profile/card', 'alice'), path.join(dataRoot, 'alice/profile/card'));
+    });
+    it('handles double leading slash (#131)', () => {
+      assert.strictEqual(urlToPathWithPod('//about.php', 'alice'), path.join(dataRoot, 'alice/about.php'));
+    });
+  });
+});