mdts 0.5.0 → 0.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/server/server.js +12 -1
- package/package.json +1 -1
package/dist/server/server.js
CHANGED
|
@@ -75,7 +75,18 @@ const createApp = (directory, currentLocation = __dirname) => {
|
|
|
75
75
|
res.sendFile(path_1.default.join(currentLocation, './public/welcome.md'));
|
|
76
76
|
});
|
|
77
77
|
app.use('/api/markdown', (req, res, next) => {
|
|
78
|
-
|
|
78
|
+
// Decode the URI component to handle encoded characters in the path
|
|
79
|
+
const decodedPath = decodeURIComponent(req.path);
|
|
80
|
+
// Normalize the path to resolve '..' and '.' segments
|
|
81
|
+
const normalizedPath = path_1.default.normalize(decodedPath);
|
|
82
|
+
// Construct the full file path
|
|
83
|
+
const filePath = path_1.default.join(directory, normalizedPath);
|
|
84
|
+
// Security check: Ensure the resolved path is within the designated directory
|
|
85
|
+
// This prevents path traversal attacks (e.g., accessing files outside 'directory')
|
|
86
|
+
if (!filePath.startsWith(directory)) {
|
|
87
|
+
console.error(`🚫 Attempted path traversal: ${filePath}`);
|
|
88
|
+
return res.status(403).send('Forbidden');
|
|
89
|
+
}
|
|
79
90
|
if (!fs.existsSync(filePath)) {
|
|
80
91
|
console.error(`🚫 File not found: ${filePath}`);
|
|
81
92
|
return res.status(404).send('File not found');
|