Skip to content

Commit

Permalink
Merge pull request sintaxi#3 from mufeedvh/master
Browse files Browse the repository at this point in the history
Merging fix - on-behalf of @mufeedvh, executed by huntr.dev (001-js-harp).
  • Loading branch information
JamieSlome authored Feb 3, 2020
2 parents 56924b7 + 51cfb24 commit 4c5f0f5
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions lib/middleware.js
Original file line number Diff line number Diff line change
Expand Up @@ -517,6 +517,22 @@ exports.process = function(req, rsp, next){
/**
* Now we let terraform handle the asset pipeline.
*/

// checking if the source file being served is a symlink
fs.lstat(sourceFile, function(err, stats) {
if (stats.isSymbolicLink()) {
fs.readlink(sourceFile, function (err, symlinkTo) {
// forbidding access if the symlink points to a file outside of the project's base directory to prevent path traversal
var projectPath = path.dirname(require.main.filename) // full path of the project's main file
var symlinkPath = path.dirname(symlinkTo) // full path of the symlink
if (projectPath !== symlinkPath) {
var body = "403 Forbidden"
rsp.statusCode = 403
rsp.end(body)
}
});
}
});

req.poly.render(sourceFile, function(error, body){
if(error){
Expand Down

0 comments on commit 4c5f0f5

Please sign in to comment.