socket-function 0.141.0 → 0.143.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -92,6 +92,9 @@ function injectHTMLBeforeStartup(text: string | (() => Promise<string>)) {
|
|
|
92
92
|
}
|
|
93
93
|
let staticRoots: string[] = [];
|
|
94
94
|
function addStaticRoot(root: string) {
|
|
95
|
+
if (!root.endsWith("/")) {
|
|
96
|
+
root += "/";
|
|
97
|
+
}
|
|
95
98
|
staticRoots.push(root);
|
|
96
99
|
}
|
|
97
100
|
|
|
@@ -131,6 +134,11 @@ class RequireControllerBase {
|
|
|
131
134
|
for (let root of staticRoots) {
|
|
132
135
|
let resolved = root + urlObj.pathname;
|
|
133
136
|
if (fs.existsSync(resolved)) {
|
|
137
|
+
let rootResolved = path.resolve(resolved);
|
|
138
|
+
let finalResolved = path.resolve(rootResolved);
|
|
139
|
+
if (!finalResolved.startsWith(root)) {
|
|
140
|
+
throw new Error(`Invalid access, did not stay in namespace: ${JSON.stringify(root)}, but escaped: ${JSON.stringify(finalResolved)}`);
|
|
141
|
+
}
|
|
134
142
|
result = await fs.promises.readFile(resolved);
|
|
135
143
|
break;
|
|
136
144
|
}
|
|
@@ -145,7 +153,7 @@ class RequireControllerBase {
|
|
|
145
153
|
return setHTTPResultHeaders(result, headers);
|
|
146
154
|
}
|
|
147
155
|
|
|
148
|
-
|
|
156
|
+
return setHTTPResultHeaders(Buffer.from(`Static file not found, ${urlObj.pathname}, have static roots: ${JSON.stringify(staticRoots)}`), headers);
|
|
149
157
|
}
|
|
150
158
|
|
|
151
159
|
}
|