|
[{"id":"f31a598d.9fd2c8","type":"function","z":"56fa9896.d15ed8","name":"Set base path","func":"//restrict to c:\\temp\\\nvar basePath = \"c:\\\\temp\\\\\";\nvar filename = msg.req.params.fn;\n\n\nif(filename.includes(\"..\\\\\")){\n msg.payload = \"Illegal file path\";\n msg.statusCode = 405;//not allowed\n return [null, msg];//fire output 2\n} else if(filename.includes(\"../\")){\n msg.payload = \"Illegal file path\";\n msg.statusCode = 405;//not allowed\n return [null, msg];//fire output 2\n} \n//TODO: add more checks\n\nmsg.filename = basePath + filename;\nreturn [msg, null];//fire output 1\n\n\n","outputs":2,"noerr":0,"x":320,"y":300,"wires":[["34dc99e5.495466"],["98261154.3006"]]},{"id":"98261154.3006","type":"http response","z":"56fa9896.d15ed8","name":"","statusCode":"","headers":{},"x":670,"y":340,"wires":[]},{"id":"34dc99e5.495466","type":"file in","z":"56fa9896.d15ed8","name":"","filename":"","format":"","chunk":false,"sendError":false,"encoding":"none","x":510,"y":280,"wires":[["98261154.3006"]]},{"id":"38d65d59.1d8aa2","type":"catch","z":"56fa9896.d15ed8","name":"","scope":null,"uncaught":false,"x":140,"y":380,"wires":[["3b8014a.86ad8ec","5b18a8e7.fb8da8"]]},{"id":"3b8014a.86ad8ec","type":"function","z":"56fa9896.d15ed8","name":"Set 404","func":"msg.payload = msg.error;\nmsg.statusCode = 404;//resource not found\nreturn msg;","outputs":1,"noerr":0,"x":520,"y":380,"wires":[["98261154.3006"]]},{"id":"5b18a8e7.fb8da8","type":"debug","z":"56fa9896.d15ed8","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"true","targetType":"full","x":170,"y":420,"wires":[]},{"id":"a8c2985e.d23ad8","type":"ui_template","z":"56fa9896.d15ed8","group":"dfb4a60f.d788f8","name":"ui_temlplate - present download links on dashboard","order":0,"width":0,"height":0,"format":"<div >\n <a href=\"/files/log.log\">download log.log</a>\n <a href=\"/files/log2.log\">download log2.log</a>\n</div>","storeOutMessages":true,"fwdInMessages":true,"templateScope":"local","x":510,"y":460,"wires":[[]]},{"id":"5de7cbb4.fa21a4","type":"comment","z":"56fa9896.d15ed8","name":"Create http endpoint <nodered>/files/xxx where xxx is the file name to download","info":"","x":360,"y":240,"wires":[]},{"id":"67ecfa7f.3f0e24","type":"http in","z":"56fa9896.d15ed8","name":"","url":"/files/:fn","method":"get","upload":false,"swaggerDoc":"","x":150,"y":300,"wires":[["f31a598d.9fd2c8"]]},{"id":"dfb4a60f.d788f8","type":"ui_group","z":"","name":"Data Export","tab":"48418b79.0f5834","disp":true,"width":"12"},{"id":"48418b79.0f5834","type":"ui_tab","z":"","name":"Dashboard","icon":"dashboard","order":1}] |
Would it work just to have :
if(filename.includes(".."))
in the function node instead of
if(filename.includes("../"))
Or does it expose some security issue which I do not see?