Fixed traversal vulnerability

KoryNunn · KoryNunn · commit 99b0b40b34aa · 2017-04-24T21:23:38.000+10:00
diff --git a/server.js b/server.js
@@ -85,6 +85,13 @@ function serveFile(request, response, path, info){
 var router = beeline.route({
     '/`path...`': function(request, response, details){
         var path = process.cwd() + '/' + details.path;
+
+        if(~pathHelpers.relative(process.cwd(), path).indexOf('..')) {
+            response.writeHead(401);
+            response.end('Unauthorized');
+            return;
+        }
+
         fs.stat(path, function(error, info){
             if(error){
                 serverError(response, error);
diff --git a/test/traversal.js b/test/traversal.js
@@ -0,0 +1,22 @@
+/**
+ * Author: Liang Gong
+ * (colors dep removed)
+ */
+(function() {
+    var http = require('http');
+    var content;
+    var url = 'http://localhost:8080/../../confidential.txt';
+
+    console.log('\t[directory traversal attack]: ' + url);
+
+    var content = '';
+
+    http.get(url, (res) => {
+        res.on('data', (chunk) => {
+            content += chunk.toString('utf-8');
+        });
+        res.on('end', () => {
+            console.log('\t[directory traversal request response]: ' + content.toString('utf-8'));
+        });
+    });
+})();
