kempo-server 1.7.0 → 1.7.2

package/README.md

@@ -213,6 +213,11 @@ export default async function(request, response) {
 
 To configure the server, create a configuration file (by default `.config.json`) within the root directory of your server (`public` in the start example [above](#getting-started)). You can specify a different configuration file using the `--config` flag.
 
+**Important:** 
+- When using a relative path for the `--config` flag, the config file must be located within the server root directory
+- When using an absolute path for the `--config` flag, the config file can be located anywhere on the filesystem
+- The server will throw an error if you attempt to use a relative config file path that points outside the root directory
+
 This json file can have any of the following properties, any property not defined will use the "Default Config".
 
 - [allowedMimes](#allowedmimes)
@@ -558,35 +563,41 @@ An array of regex patterns for paths that should not trigger a file system resca
 
 An object mapping custom route paths to file paths. Useful for aliasing or serving files from outside the document root.
 
+**Note:** All file paths in customRoutes are resolved relative to the server root directory (the `--root` path). This allows you to reference files both inside and outside the document root.
+
 **Basic Routes:**
 ```json
 {
   "customRoutes": {
-    "/vendor/bootstrap.css": "./node_modules/bootstrap/dist/css/bootstrap.min.css",
+    "/vendor/bootstrap.css": "../node_modules/bootstrap/dist/css/bootstrap.min.css",
     "/api/status": "./status.js"
   }
 }
 ```
 
 **Wildcard Routes:**
-Wildcard routes allow you to map entire directory structures using the `*` wildcard:
+Wildcard routes allow you to map entire directory structures using the `*` and `**` wildcards:
 
 ```json
 {
   "customRoutes": {
-    "kempo/*": "./node_modules/kempo/dust/*",
-    "assets/*": "./static-files/*",
-    "docs/*": "./documentation/*"
+    "kempo/*": "../node_modules/kempo/dist/*",
+    "assets/*": "../static-files/*",
+    "docs/*": "../documentation/*",
+    "src/**": "../src/**"
   }
 }
 ```
 
 With wildcard routes:
-- `kempo/styles.css` would serve `./node_modules/kempo/dust/styles.css`
-- `assets/logo.png` would serve `./static-files/logo.png`  
-- `docs/readme.md` would serve `./documentation/readme.md`
-
-The `*` wildcard matches any single path segment (anything between `/` characters). Multiple wildcards can be used in a single route pattern.
+- `kempo/styles.css` would serve `../node_modules/kempo/dist/styles.css`
+- `assets/logo.png` would serve `../static-files/logo.png`  
+- `docs/readme.md` would serve `../documentation/readme.md`
+- `src/components/Button.js` would serve `../src/components/Button.js`
+
+The `*` wildcard matches any single path segment (anything between `/` characters).
+The `**` wildcard matches any number of path segments, allowing you to map entire directory trees.
+Multiple wildcards can be used in a single route pattern.
 
 ### maxRescanAttempts
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "kempo-server",
   "type": "module",
-  "version": "1.7.0",
+  "version": "1.7.2",
   "description": "A lightweight, zero-dependency, file based routing server.",
   "main": "dist/index.js",
   "bin": {

package/src/defaultConfig.js

@@ -88,8 +88,8 @@ export default {
   ],
   maxRescanAttempts: 3,
   customRoutes: {
-    // Example: "/vendor/bootstrap.css": "./node_modules/bootstrap/dist/css/bootstrap.min.css"
-    // Wildcard example: "kempo/*": "./node_modules/kempo/dust/*"
+    // Example: "/vendor/bootstrap.css": "../node_modules/bootstrap/dist/css/bootstrap.min.css"
+    // Wildcard example: "kempo/*": "../node_modules/kempo/dust/*"
   },
   middleware: {
     // Built-in middleware configuration

package/src/router.js

@@ -17,7 +17,7 @@ import {
 
 export default async (flags, log) => {
   log('Initializing router', 2);
-  const rootPath = path.join(process.cwd(), flags.root);
+  const rootPath = path.isAbsolute(flags.root) ? flags.root : path.join(process.cwd(), flags.root);
   log(`Root path: ${rootPath}`, 2);
   
   let config = defaultConfig;
@@ -27,6 +27,25 @@ export default async (flags, log) => {
     const configPath = path.isAbsolute(configFileName) 
       ? configFileName 
       : path.join(rootPath, configFileName);
+    
+    log(`Config file name: ${configFileName}`, 2);
+    log(`Config path: ${configPath}`, 2);
+    
+    // Validate that config file is within the server root directory
+    // Allow absolute paths (user explicitly specified location)
+    if (!path.isAbsolute(configFileName)) {
+      const relativeConfigPath = path.relative(rootPath, configPath);
+      log(`Relative config path: ${relativeConfigPath}`, 2);
+      log(`Starts with '..': ${relativeConfigPath.startsWith('..')}`, 2);
+      if (relativeConfigPath.startsWith('..') || path.isAbsolute(relativeConfigPath)) {
+        log(`Validation failed - throwing error`, 2);
+        throw new Error(`Config file must be within the server root directory. Config path: ${configPath}, Root path: ${rootPath}`);
+      }
+      log(`Validation passed`, 2);
+    } else {
+      log(`Config file name is absolute, skipping validation`, 2);
+    }
+    
     log(`Loading config from: ${configPath}`, 2);
     const configContent = await readFile(configPath, 'utf8');
     const userConfig = JSON.parse(configContent);
@@ -53,6 +72,11 @@ export default async (flags, log) => {
     };
     log('User config loaded and merged with defaults', 2);
   } catch (e){
+    // Only fall back to default config for file reading/parsing errors
+    // Let validation errors propagate up
+    if (e.message.includes('Config file must be within the server root directory')) {
+      throw e;
+    }
     log('Using default config (no config file found)', 2);
   }
   
@@ -136,27 +160,19 @@ export default async (flags, log) => {
   
   if (config.customRoutes && Object.keys(config.customRoutes).length > 0) {
     log(`Processing ${Object.keys(config.customRoutes).length} custom routes`, 2);
-    
     for (const [urlPath, filePath] of Object.entries(config.customRoutes)) {
-      try {
-        // Check if this is a wildcard route
-        if (urlPath.includes('*')) {
-          // Store wildcard routes separately for pattern matching
-          wildcardRoutes.set(urlPath, filePath);
-          log(`Wildcard route mapped: ${urlPath} -> ${filePath}`, 2);
-        } else {
-          // Resolve the file path relative to the current working directory
-          const resolvedPath = path.resolve(filePath);
-          
-          // Check if the file exists (we'll do this async)
-          const { stat } = await import('fs/promises');
-          await stat(resolvedPath);
-          
-          customRoutes.set(urlPath, resolvedPath);
-          log(`Custom route mapped: ${urlPath} -> ${resolvedPath}`, 2);
-        }
-      } catch (error) {
-        log(`Custom route error for ${urlPath} -> ${filePath}: ${error.message}`, 1);
+      // Check if this is a wildcard route
+      if (urlPath.includes('*')) {
+        // Resolve the file path relative to rootPath if relative, otherwise use absolute path
+        const resolvedPath = path.isAbsolute(filePath) ? filePath : path.resolve(rootPath, filePath);
+        // Store wildcard routes separately for pattern matching
+        wildcardRoutes.set(urlPath, resolvedPath);
+        log(`Wildcard route mapped: ${urlPath} -> ${resolvedPath}`, 2);
+      } else {
+        // Resolve the file path relative to rootPath if relative, otherwise use absolute path
+        const resolvedPath = path.isAbsolute(filePath) ? filePath : path.resolve(rootPath, filePath);
+        customRoutes.set(urlPath, resolvedPath);
+        log(`Custom route mapped: ${urlPath} -> ${resolvedPath}`, 2);
       }
     }
   }
@@ -187,7 +203,9 @@ export default async (flags, log) => {
       }
     }
     
-    return path.resolve(resolvedPath);
+    // If the path is already absolute, return it as-is
+    // If it's relative, resolve it relative to rootPath
+    return path.isAbsolute(resolvedPath) ? resolvedPath : path.resolve(rootPath, resolvedPath);
   };
   
   // Helper function to find matching wildcard route
@@ -247,39 +265,63 @@ export default async (flags, log) => {
       const requestPath = req.url.split('?')[0];
       log(`${req.method} ${requestPath}`, 0);
       
-      // Check custom routes first
-      if (customRoutes.has(requestPath)) {
-        const customFilePath = customRoutes.get(requestPath);
-        log(`Serving custom route: ${requestPath} -> ${customFilePath}`, 2);
-        
+
+      // Check custom routes first (allow outside rootPath)
+      log(`customRoutes keys: ${Array.from(customRoutes.keys()).join(', ')}`, 1);
+      // Normalize requestPath and keys for matching
+      const normalizePath = p => {
+        let np = decodeURIComponent(p);
+        if (!np.startsWith('/')) np = '/' + np;
+        if (np.length > 1 && np.endsWith('/')) np = np.slice(0, -1);
+        return np;
+      };
+      const normalizedRequestPath = normalizePath(requestPath);
+      log(`Normalized requestPath: ${normalizedRequestPath}`, 1);
+      let matchedKey = null;
+      for (const key of customRoutes.keys()) {
+        if (normalizePath(key) === normalizedRequestPath) {
+          matchedKey = key;
+          break;
+        }
+      }
+      if (matchedKey) {
+        const customFilePath = customRoutes.get(matchedKey);
+        log(`Serving custom route: ${normalizedRequestPath} -> ${customFilePath}`, 2);
         try {
+          const { stat } = await import('fs/promises');
+          try {
+            await stat(customFilePath);
+            log(`Custom route file exists: ${customFilePath}`, 2);
+          } catch (e) {
+            log(`Custom route file does NOT exist: ${customFilePath}`, 0);
+            res.writeHead(404, { 'Content-Type': 'text/plain' });
+            res.end('Custom route file not found');
+            return;
+          }
           const fileContent = await readFile(customFilePath);
           const fileExtension = path.extname(customFilePath).toLowerCase().slice(1);
           const mimeType = config.allowedMimes[fileExtension] || 'application/octet-stream';
-          
           log(`Serving custom file as ${mimeType} (${fileContent.length} bytes)`, 2);
           res.writeHead(200, { 'Content-Type': mimeType });
           res.end(fileContent);
           return; // Successfully served custom route
         } catch (error) {
-          log(`Error serving custom route ${requestPath}: ${error.message}`, 0);
+          log(`Error serving custom route ${normalizedRequestPath}: ${error.message}`, 0);
           res.writeHead(500, { 'Content-Type': 'text/plain' });
           res.end('Internal Server Error');
           return;
         }
       }
-      
-      // Check wildcard routes
+
+      // Check wildcard routes (allow outside rootPath)
       const wildcardMatch = findWildcardRoute(requestPath);
       if (wildcardMatch) {
         const resolvedFilePath = resolveWildcardPath(wildcardMatch.filePath, wildcardMatch.matches);
         log(`Serving wildcard route: ${requestPath} -> ${resolvedFilePath}`, 2);
-        
         try {
           const fileContent = await readFile(resolvedFilePath);
           const fileExtension = path.extname(resolvedFilePath).toLowerCase().slice(1);
           const mimeType = config.allowedMimes[fileExtension] || 'application/octet-stream';
-          
           log(`Serving wildcard file as ${mimeType} (${fileContent.length} bytes)`, 2);
           res.writeHead(200, { 'Content-Type': mimeType });
           res.end(fileContent);

package/tests/config-flag.node-test.js

@@ -317,5 +317,56 @@ export default {
         process.chdir(prev);
       }
     });
+  },
+
+  'router throws error when config file is outside server root': async ({pass, fail, log}) => {
+    await withTempDir(async (dir) => {
+      // Create a config file outside the server root
+      const configDir = path.join(dir, '..', 'config-outside-root');
+      const configFilePath = await write(configDir, 'outside.config.json', '{"allowedMimes": {"test": "application/test"}}');
+      
+      // Create a file in the server root to verify it doesn't start
+      await write(dir, 'index.html', '<h1>Home</h1>');
+      
+      const prev = process.cwd();
+      process.chdir(dir);
+      
+      try {
+        // Try to use config file outside server root with relative path
+        const flags = {root: '.', logging: 0, scan: false, config: '../config-outside-root/outside.config.json'};
+        
+        log('Test setup:');
+        log('dir: ' + dir);
+        log('configDir: ' + configDir);
+        log('configFilePath: ' + configFilePath);
+        log('flags.root: ' + flags.root);
+        log('flags.config: ' + flags.config);
+        
+        // Check if file exists
+        const fs = await import('fs/promises');
+        try {
+          await fs.access(configFilePath);
+          log('Config file exists at: ' + configFilePath);
+        } catch (e) {
+          log('Config file does NOT exist at: ' + configFilePath);
+        }
+        
+        // This should throw an error
+        await router(flags, log);
+        
+        // If we reach here, the test failed
+        return fail('router should have thrown error for config file outside root');
+      } catch (error) {
+        log('Error caught: ' + error.message);
+        // Verify the error message contains expected text
+        if (!error.message.includes('Config file must be within the server root directory')) {
+          return fail(`unexpected error message: ${error.message}`);
+        }
+        
+        pass('router correctly throws error for config file outside server root');
+      } finally {
+        process.chdir(prev);
+      }
+    });
   }
 };

package/tests/customRoute-outside-root.node-test.js

@@ -0,0 +1,81 @@
+import router from '../src/router.js';
+import http from 'http';
+import { writeFile, mkdir } from 'fs/promises';
+import path from 'path';
+import { randomPort, httpGet, withTempDir, write } from './test-utils.js';
+
+/*
+  This test verifies that a customRoute pointing outside the rootPath is served
+  instead of a static file inside the rootPath, if both exist.
+*/
+
+export default {
+  'customRoute outside rootPath takes precedence over static file': async ({pass, fail, log}) => {
+    try {
+  await withTempDir(async (dir) => {
+        // Print initial working directory
+        log('Initial process.cwd(): ' + process.cwd());
+
+        // Setup: create static file in rootPath
+        const rootDir = path.join(dir, 'public');
+        await mkdir(path.join(rootDir, 'src'), { recursive: true });
+        await writeFile(path.join(rootDir, 'src', 'file.txt'), 'static');
+  // Create custom file outside rootPath, matching resolved customRoute
+  const customFilePath = path.resolve(rootDir, '..', 'src', 'file.txt');
+  await mkdir(path.dirname(customFilePath), { recursive: true });
+  await writeFile(customFilePath, 'custom');
+  log('Custom file path: ' + customFilePath);
+
+        // Check file existence
+        try {
+          const { stat } = await import('fs/promises');
+          await stat(customFilePath);
+          log('Custom file exists at setup');
+        } catch (e) {
+          log('Custom file does NOT exist at setup');
+        }
+
+        // Write config with customRoute pointing outside rootPath
+        const config = {
+          customRoutes: {
+            '/src/file.txt': '../src/file.txt'
+          }
+        };
+        await writeFile(path.join(rootDir, '.config.json'), JSON.stringify(config));
+        log('Config written: ' + JSON.stringify(config));
+
+  // Set working directory to temp dir so relative paths resolve correctly
+  const prevCwd = process.cwd();
+  process.chdir(dir);
+  const flags = { root: rootDir, logging: 4 };
+  const logFn = (...args) => log(args.map(String).join(' '));
+  log('Starting server with flags: ' + JSON.stringify(flags));
+  log('process.cwd() before router: ' + process.cwd());
+  const handler = await router(flags, logFn);
+  const server = http.createServer(handler);
+  const port = randomPort();
+  await new Promise(r => server.listen(port, r));
+  await new Promise(r => setTimeout(r, 50));
+
+        try {
+          // Print process.cwd() before request
+          log('process.cwd() before request: ' + process.cwd());
+          // Request the file
+          const requestUrl = `http://localhost:${port}/src/file.txt`;
+          log('Requesting URL: ' + requestUrl);
+          const response = await httpGet(requestUrl);
+          log('status: ' + response.res.statusCode);
+          log('response body: ' + response.body.toString());
+          if(response.res.statusCode !== 200) throw new Error('status not 200');
+          if(response.body.toString() !== 'custom') throw new Error('did not serve customRoute file');
+        } finally {
+          server.close();
+          process.chdir(prevCwd);
+        }
+      });
+      pass('customRoute outside rootPath is served');
+    } catch(e){
+      fail(e.message);
+    }
+  }
+};

package/tests/router-wildcard-double-asterisk.node-test.js

@@ -25,7 +25,7 @@ export default {
         // Configure double asterisk wildcard route
         const config = {
           customRoutes: {
-            '/src/**': './src/**'
+            '/src/**': '../src/**'
           }
         };
         
@@ -86,7 +86,7 @@ export default {
         // Configure single asterisk wildcard route
         const config = {
           customRoutes: {
-            '/src/*': './src/*'
+            '/src/*': '../src/*'
           }
         };
         
@@ -140,7 +140,7 @@ export default {
         // Configure wildcard route that overrides static file
         const config = {
           customRoutes: {
-            '/api/**': './custom/**'
+            '/api/**': '../custom/**'
           }
         };
         

package/tests/router-wildcard.node-test.js

@@ -25,7 +25,7 @@ export default {
         // Configure double asterisk wildcard route
         const config = {
           customRoutes: {
-            '/src/**': './src/**'
+            '/src/**': '../src/**'
           }
         };
         
@@ -86,7 +86,7 @@ export default {
         // Configure single asterisk wildcard route
         const config = {
           customRoutes: {
-            '/src/*': './src/*'
+            '/src/*': '../src/*'
           }
         };
         
@@ -140,7 +140,7 @@ export default {
         // Configure wildcard route that overrides static file
         const config = {
           customRoutes: {
-            '/api/**': './custom/**'
+            '/api/**': '../custom/**'
           }
         };