Implement the fix.

43c447ed · Arunoda Susiripala · 442c611d · 43c447ed
隐藏空白更改
内联并排

Showing with 18 addition and 1 deletion

server/index.js server/index.js +18 -1

未找到文件。
--- a/server/index.js
+++ b/server/index.js
-import { resolve, join } from 'path'
+import { resolve, join, sep } from 'path'
 import { parse as parseUrl } from 'url'
 import { parse as parseQs } from 'querystring'
 import fs from 'fs'
@@ -295,6 +295,10 @@ export default class Server {
  }

  async serveStatic (req, res, path) {
+    if (!this.isServeableUrl(path)) {
+      return this.render404(req, res)
+    }
+
    try {
      return await serveStatic(req, res, path)
    } catch (err) {
@@ -306,6 +310,19 @@ export default class Server {
    }
  }

+  isServeableUrl (path) {
+    const resolved = resolve(path)
+    if (
+      resolved.indexOf(join(this.dir, this.dist) + sep) !== 0 &&
+      resolved.indexOf(join(this.dir, 'static') + sep) !== 0
+    ) {
+      // Seems like the user is trying to traverse the filesystem.
+      return false
+    }
+
+    return true
+  }
+
  isInternalUrl (req) {
    for (const prefix of internalPrefixes) {
      if (prefix.test(req.url)) {