mockaton 8.7.5 → 8.7.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/Mockaton.test.js +5 -0
- package/src/StaticDispatcher.js +12 -11
- package/src/config.js +4 -0
package/package.json
CHANGED
package/src/Mockaton.test.js
CHANGED
|
@@ -500,6 +500,11 @@ export default function (req, response) {
|
|
|
500
500
|
|
|
501
501
|
async function testStaticFileServing() {
|
|
502
502
|
await describe('Static File Serving', () => {
|
|
503
|
+
it('404 path traversal', async () => {
|
|
504
|
+
const res = await request('/../../../etc/passwd')
|
|
505
|
+
equal(res.status, 404)
|
|
506
|
+
})
|
|
507
|
+
|
|
503
508
|
it('Defaults to index.html', async () => {
|
|
504
509
|
const res = await request('/')
|
|
505
510
|
const body = await res.text()
|
package/src/StaticDispatcher.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { join,
|
|
2
|
-
import fs, { readFileSync } from 'node:fs'
|
|
1
|
+
import { join, resolve } from 'node:path'
|
|
2
|
+
import fs, { readFileSync, realpathSync } from 'node:fs'
|
|
3
3
|
|
|
4
4
|
import { config } from './config.js'
|
|
5
5
|
import { mimeFor } from './utils/mime.js'
|
|
@@ -10,14 +10,12 @@ import { sendNotFound, sendInternalServerError } from './utils/http-response.js'
|
|
|
10
10
|
export function isStatic(req) {
|
|
11
11
|
if (!config.staticDir)
|
|
12
12
|
return false
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
const f = resolvePath(req.url)
|
|
16
|
-
return !config.ignore.test(f) && Boolean(f)
|
|
13
|
+
const f = resolvedAllowedPath(req.url)
|
|
14
|
+
return f && !config.ignore.test(f)
|
|
17
15
|
}
|
|
18
16
|
|
|
19
17
|
export async function dispatchStatic(req, response) {
|
|
20
|
-
const file =
|
|
18
|
+
const file = resolvedAllowedPath(req.url)
|
|
21
19
|
if (!file)
|
|
22
20
|
sendNotFound(response)
|
|
23
21
|
else if (req.headers.range)
|
|
@@ -26,11 +24,14 @@ export async function dispatchStatic(req, response) {
|
|
|
26
24
|
sendFile(response, file)
|
|
27
25
|
}
|
|
28
26
|
|
|
29
|
-
function
|
|
30
|
-
let candidate = join(config.staticDir, url)
|
|
27
|
+
function resolvedAllowedPath(url) {
|
|
28
|
+
let candidate = resolve(join(config.staticDir, url))
|
|
31
29
|
if (isDirectory(candidate))
|
|
32
|
-
candidate
|
|
33
|
-
if (isFile(candidate))
|
|
30
|
+
candidate = join(candidate, 'index.html')
|
|
31
|
+
if (!isFile(candidate))
|
|
32
|
+
return false
|
|
33
|
+
candidate = realpathSync(candidate)
|
|
34
|
+
if (candidate.startsWith(config.staticDir))
|
|
34
35
|
return candidate
|
|
35
36
|
}
|
|
36
37
|
|
package/src/config.js
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { realpathSync } from 'node:fs'
|
|
1
2
|
import { isDirectory } from './utils/fs.js'
|
|
2
3
|
import { openInBrowser } from './utils/openInBrowser.js'
|
|
3
4
|
import { jsToJsonPlugin } from './MockDispatcherPlugins.js'
|
|
@@ -66,6 +67,9 @@ export function setup(options) {
|
|
|
66
67
|
|
|
67
68
|
onReady: is(Function)
|
|
68
69
|
})
|
|
70
|
+
|
|
71
|
+
config.mocksDir = realpathSync(config.mocksDir)
|
|
72
|
+
config.staticDir = realpathSync(config.staticDir)
|
|
69
73
|
}
|
|
70
74
|
|
|
71
75
|
|