version 0.10.1 Fixed directory traversal vulnerability

sandy98 · sandy98 · commit dfdd52e2e806 · 2017-04-27T02:36:35.000-03:00
diff --git a/lib/router.js b/lib/router.js
diff --git a/package.json b/package.json
@@ -21,7 +21,7 @@
     "async",
     "promises"
   ],
-  "version": "0.10.0",
+  "version": "0.10.1",
   "homepage": "http://node-simple-router.herokuapp.com",
   "author": "Ernesto Savoretti <esavoretti@gmail.com>",
   "repository": {
diff --git a/src/router.coffee b/src/router.coffee
@@ -613,6 +613,8 @@ Router = (options = {}) ->
 
   dispatch.static = (pathname, req, res) ->
     full_path = "#{dispatch.static_route}#{unescape(pathname)}"
+    if full_path.indexOf('..') isnt -1
+      return dispatch._403(null, res, pathname, "Trying to get private things through directory traversal is a nasty thing to do.")
     fs.exists full_path, (exists) ->
       if exists
         if ((pathname.indexOf("#{dispatch.cgi_dir}/") isnt - 1) or (pathname.match /\.php$/)) and (pathname.substr(-1) isnt "/") and (dispatch.serve_cgi is true)
@@ -1002,6 +1004,14 @@ Router = (options = {}) ->
           else
             res.end data
 
+  dispatch._403 = (req, res, path, message) ->
+    res.writeHead(500, {'Content-Type': 'text/html'})
+    res.end("""
+                <h2>403 - Forbidden: #{message}</h2>
+                <hr/><h3>Served by #{dispatch.served_by} v#{dispatch.version}</h3>
+                <p style="text-align: center;"><button onclick='history.back();'>Back</button></p>
+            """)
+
   dispatch._405 = (req, res, path, message) ->
     res.writeHead(405, {'Content-Type': 'text/html'})
     res.end("""
