💄

82e99291 · Benjamin Pasero · 7d9069ba · 82e99291
隐藏空白更改
内联并排

Showing with 8 addition and 0 deletion

scripts/code-web.js scripts/code-web.js +8 -0

未找到文件。
--- a/scripts/code-web.js
+++ b/scripts/code-web.js
@@ -227,6 +227,14 @@ function getMediaMime(forPath) {
 */
 async function serveFile(req, res, filePath, responseHeaders = Object.create(null)) {
 	try {
+
+		// Sanity checks
+		filePath = path.normalize(filePath); // ensure no "." and ".."
+		if (filePath.indexOf(`${APP_ROOT}${path.sep}`) !== 0) {
+			// invalid location outside of APP_ROOT
+			return serveError(req, res, 400, `Bad request.`);
+		}
+
 		const stat = await util.promisify(fs.stat)(filePath);

 		// Check if file modified since