fix: serve csaf files in subfolders

chore: enhance testing to include file content
Tomithan · Mar 13, 2024 · f5c4777 · f5c4777
1 parent 44461d5
commit f5c4777
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 5 deletions.
diff --git a/routes/wellKnownServer.ts b/routes/wellKnownServer.ts
@@ -11,16 +11,24 @@ import { type Request, type Response, type NextFunction } from 'express'
 function serveWellKnown () {
   return (req: Request, res: Response, next: NextFunction) => {
     const file = req.params.file
-
-    if (!file.includes('/')) {
-      const pathResolved = path.resolve('.well-known/csaf', file)
+    var folder = req.params.folder
+    if (!folder) {
+      folder = ''
+    }
+    if (!file.includes('/') && !folder.includes('/')) {
+      const pathResolved = path.resolve('.well-known/csaf/' + folder, file)
+      if (pathResolved.endsWith('json')) {
+        res.setHeader('Content-Type', 'application/json')
+      }
       if (pathResolved.endsWith('/.well-known/csaf/provider-metadata.json')) {
         const fileContent = fs.readFileSync(pathResolved, 'utf8')
-        res.setHeader('Content-Type', 'application/json')
         const baseUrl = config.get<string>('server.baseUrl')
         res.send(fileContent.replace('http://localhost:3000', baseUrl))
-      } else {
+      } else if (pathResolved.includes('.well-known/csaf/')) {
         res.sendFile(pathResolved)
+      } else {
+        res.status(403)
+        next(new Error('Unknown file requested!'))
       }
     } else {
       res.status(403)

diff --git a/server.ts b/server.ts
@@ -262,6 +262,7 @@ restoreOverwrittenFilesWithOriginals().then(() => {
   app.use('/ftp(?!/quarantine)/:file', fileServer()) // vuln-code-snippet vuln-line directoryListingChallenge
   app.use('/ftp/quarantine/:file', quarantineServer()) // vuln-code-snippet neutral-line directoryListingChallenge
 
+  app.use('/.well-known/csaf/:folder/:file', wellKnownServer())
   app.use('/.well-known/csaf/:file', wellKnownServer())
   app.use('/.well-known', serveIndexMiddleware, serveIndex('.well-known', { icons: true, view: 'details' }))
 

diff --git a/test/api/fileServingSpec.ts b/test/api/fileServingSpec.ts
@@ -80,6 +80,8 @@ describe('Server', () => {
   it('GET serves a csaf juice-shop-sa-20200513-express-jwt.json', () => {
     return frisby.get(URL + '/.well-known/csaf/2017/juice-shop-sa-20200513-express-jwt.json')
       .expect('status', 200)
+      .expect('bodyContains', 'juice-shop-sa-20200513-express-jwt')
+      .expect('bodyContains', 'We will soon release a patch')
   })
 })