kempo-server 1.7.1 → 1.7.2

package/README.md

@@ -213,6 +213,11 @@ export default async function(request, response) {
 
 To configure the server, create a configuration file (by default `.config.json`) within the root directory of your server (`public` in the start example [above](#getting-started)). You can specify a different configuration file using the `--config` flag.
 
+**Important:** 
+- When using a relative path for the `--config` flag, the config file must be located within the server root directory
+- When using an absolute path for the `--config` flag, the config file can be located anywhere on the filesystem
+- The server will throw an error if you attempt to use a relative config file path that points outside the root directory
+
 This json file can have any of the following properties, any property not defined will use the "Default Config".
 
 - [allowedMimes](#allowedmimes)
@@ -558,35 +563,41 @@ An array of regex patterns for paths that should not trigger a file system resca
 
 An object mapping custom route paths to file paths. Useful for aliasing or serving files from outside the document root.
 
+**Note:** All file paths in customRoutes are resolved relative to the server root directory (the `--root` path). This allows you to reference files both inside and outside the document root.
+
 **Basic Routes:**
 ```json
 {
   "customRoutes": {
-    "/vendor/bootstrap.css": "./node_modules/bootstrap/dist/css/bootstrap.min.css",
+    "/vendor/bootstrap.css": "../node_modules/bootstrap/dist/css/bootstrap.min.css",
     "/api/status": "./status.js"
   }
 }
 ```
 
 **Wildcard Routes:**
-Wildcard routes allow you to map entire directory structures using the `*` wildcard:
+Wildcard routes allow you to map entire directory structures using the `*` and `**` wildcards:
 
 ```json
 {
   "customRoutes": {
-    "kempo/*": "./node_modules/kempo/dust/*",
-    "assets/*": "./static-files/*",
-    "docs/*": "./documentation/*"
+    "kempo/*": "../node_modules/kempo/dist/*",
+    "assets/*": "../static-files/*",
+    "docs/*": "../documentation/*",
+    "src/**": "../src/**"
   }
 }
 ```
 
 With wildcard routes:
-- `kempo/styles.css` would serve `./node_modules/kempo/dust/styles.css`
-- `assets/logo.png` would serve `./static-files/logo.png`  
-- `docs/readme.md` would serve `./documentation/readme.md`
-
-The `*` wildcard matches any single path segment (anything between `/` characters). Multiple wildcards can be used in a single route pattern.
+- `kempo/styles.css` would serve `../node_modules/kempo/dist/styles.css`
+- `assets/logo.png` would serve `../static-files/logo.png`  
+- `docs/readme.md` would serve `../documentation/readme.md`
+- `src/components/Button.js` would serve `../src/components/Button.js`
+
+The `*` wildcard matches any single path segment (anything between `/` characters).
+The `**` wildcard matches any number of path segments, allowing you to map entire directory trees.
+Multiple wildcards can be used in a single route pattern.
 
 ### maxRescanAttempts
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "kempo-server",
   "type": "module",
-  "version": "1.7.1",
+  "version": "1.7.2",
   "description": "A lightweight, zero-dependency, file based routing server.",
   "main": "dist/index.js",
   "bin": {

package/src/defaultConfig.js

@@ -88,8 +88,8 @@ export default {
   ],
   maxRescanAttempts: 3,
   customRoutes: {
-    // Example: "/vendor/bootstrap.css": "./node_modules/bootstrap/dist/css/bootstrap.min.css"
-    // Wildcard example: "kempo/*": "./node_modules/kempo/dust/*"
+    // Example: "/vendor/bootstrap.css": "../node_modules/bootstrap/dist/css/bootstrap.min.css"
+    // Wildcard example: "kempo/*": "../node_modules/kempo/dust/*"
   },
   middleware: {
     // Built-in middleware configuration

package/src/router.js

@@ -27,6 +27,25 @@ export default async (flags, log) => {
     const configPath = path.isAbsolute(configFileName) 
       ? configFileName 
       : path.join(rootPath, configFileName);
+    
+    log(`Config file name: ${configFileName}`, 2);
+    log(`Config path: ${configPath}`, 2);
+    
+    // Validate that config file is within the server root directory
+    // Allow absolute paths (user explicitly specified location)
+    if (!path.isAbsolute(configFileName)) {
+      const relativeConfigPath = path.relative(rootPath, configPath);
+      log(`Relative config path: ${relativeConfigPath}`, 2);
+      log(`Starts with '..': ${relativeConfigPath.startsWith('..')}`, 2);
+      if (relativeConfigPath.startsWith('..') || path.isAbsolute(relativeConfigPath)) {
+        log(`Validation failed - throwing error`, 2);
+        throw new Error(`Config file must be within the server root directory. Config path: ${configPath}, Root path: ${rootPath}`);
+      }
+      log(`Validation passed`, 2);
+    } else {
+      log(`Config file name is absolute, skipping validation`, 2);
+    }
+    
     log(`Loading config from: ${configPath}`, 2);
     const configContent = await readFile(configPath, 'utf8');
     const userConfig = JSON.parse(configContent);
@@ -53,6 +72,11 @@ export default async (flags, log) => {
     };
     log('User config loaded and merged with defaults', 2);
   } catch (e){
+    // Only fall back to default config for file reading/parsing errors
+    // Let validation errors propagate up
+    if (e.message.includes('Config file must be within the server root directory')) {
+      throw e;
+    }
     log('Using default config (no config file found)', 2);
   }
   
@@ -139,14 +163,14 @@ export default async (flags, log) => {
     for (const [urlPath, filePath] of Object.entries(config.customRoutes)) {
       // Check if this is a wildcard route
       if (urlPath.includes('*')) {
-        // Resolve the file path relative to the current working directory
-        const resolvedPath = path.resolve(filePath);
+        // Resolve the file path relative to rootPath if relative, otherwise use absolute path
+        const resolvedPath = path.isAbsolute(filePath) ? filePath : path.resolve(rootPath, filePath);
         // Store wildcard routes separately for pattern matching
         wildcardRoutes.set(urlPath, resolvedPath);
         log(`Wildcard route mapped: ${urlPath} -> ${resolvedPath}`, 2);
       } else {
-        // Resolve the file path relative to the current working directory
-        const resolvedPath = path.resolve(filePath);
+        // Resolve the file path relative to rootPath if relative, otherwise use absolute path
+        const resolvedPath = path.isAbsolute(filePath) ? filePath : path.resolve(rootPath, filePath);
         customRoutes.set(urlPath, resolvedPath);
         log(`Custom route mapped: ${urlPath} -> ${resolvedPath}`, 2);
       }
@@ -179,7 +203,9 @@ export default async (flags, log) => {
       }
     }
     
-    return path.resolve(resolvedPath);
+    // If the path is already absolute, return it as-is
+    // If it's relative, resolve it relative to rootPath
+    return path.isAbsolute(resolvedPath) ? resolvedPath : path.resolve(rootPath, resolvedPath);
   };
   
   // Helper function to find matching wildcard route

package/tests/config-flag.node-test.js

@@ -317,5 +317,56 @@ export default {
         process.chdir(prev);
       }
     });
+  },
+
+  'router throws error when config file is outside server root': async ({pass, fail, log}) => {
+    await withTempDir(async (dir) => {
+      // Create a config file outside the server root
+      const configDir = path.join(dir, '..', 'config-outside-root');
+      const configFilePath = await write(configDir, 'outside.config.json', '{"allowedMimes": {"test": "application/test"}}');
+      
+      // Create a file in the server root to verify it doesn't start
+      await write(dir, 'index.html', '<h1>Home</h1>');
+      
+      const prev = process.cwd();
+      process.chdir(dir);
+      
+      try {
+        // Try to use config file outside server root with relative path
+        const flags = {root: '.', logging: 0, scan: false, config: '../config-outside-root/outside.config.json'};
+        
+        log('Test setup:');
+        log('dir: ' + dir);
+        log('configDir: ' + configDir);
+        log('configFilePath: ' + configFilePath);
+        log('flags.root: ' + flags.root);
+        log('flags.config: ' + flags.config);
+        
+        // Check if file exists
+        const fs = await import('fs/promises');
+        try {
+          await fs.access(configFilePath);
+          log('Config file exists at: ' + configFilePath);
+        } catch (e) {
+          log('Config file does NOT exist at: ' + configFilePath);
+        }
+        
+        // This should throw an error
+        await router(flags, log);
+        
+        // If we reach here, the test failed
+        return fail('router should have thrown error for config file outside root');
+      } catch (error) {
+        log('Error caught: ' + error.message);
+        // Verify the error message contains expected text
+        if (!error.message.includes('Config file must be within the server root directory')) {
+          return fail(`unexpected error message: ${error.message}`);
+        }
+        
+        pass('router correctly throws error for config file outside server root');
+      } finally {
+        process.chdir(prev);
+      }
+    });
   }
 };

package/tests/customRoute-outside-root.node-test.js

@@ -21,7 +21,7 @@ export default {
         await mkdir(path.join(rootDir, 'src'), { recursive: true });
         await writeFile(path.join(rootDir, 'src', 'file.txt'), 'static');
   // Create custom file outside rootPath, matching resolved customRoute
-  const customFilePath = path.resolve(dir, '..', 'src', 'file.txt');
+  const customFilePath = path.resolve(rootDir, '..', 'src', 'file.txt');
   await mkdir(path.dirname(customFilePath), { recursive: true });
   await writeFile(customFilePath, 'custom');
   log('Custom file path: ' + customFilePath);

package/tests/router-wildcard-double-asterisk.node-test.js

@@ -25,7 +25,7 @@ export default {
         // Configure double asterisk wildcard route
         const config = {
           customRoutes: {
-            '/src/**': './src/**'
+            '/src/**': '../src/**'
           }
         };
         
@@ -86,7 +86,7 @@ export default {
         // Configure single asterisk wildcard route
         const config = {
           customRoutes: {
-            '/src/*': './src/*'
+            '/src/*': '../src/*'
           }
         };
         
@@ -140,7 +140,7 @@ export default {
         // Configure wildcard route that overrides static file
         const config = {
           customRoutes: {
-            '/api/**': './custom/**'
+            '/api/**': '../custom/**'
           }
         };
         

package/tests/router-wildcard.node-test.js

@@ -25,7 +25,7 @@ export default {
         // Configure double asterisk wildcard route
         const config = {
           customRoutes: {
-            '/src/**': './src/**'
+            '/src/**': '../src/**'
           }
         };
         
@@ -86,7 +86,7 @@ export default {
         // Configure single asterisk wildcard route
         const config = {
           customRoutes: {
-            '/src/*': './src/*'
+            '/src/*': '../src/*'
           }
         };
         
@@ -140,7 +140,7 @@ export default {
         // Configure wildcard route that overrides static file
         const config = {
           customRoutes: {
-            '/api/**': './custom/**'
+            '/api/**': '../custom/**'
           }
         };