Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Node.js quick file server (static files over HTTP) using es6+
const http = require('http');
const url = require('url');
const fs = require('fs');
const path = require('path');
const port = process.argv[2] || 9000;
http.createServer(function (req, res) {
console.log(`${req.method} ${req.url}`);
// parse URL
const parsedUrl = url.parse(req.url);
// extract URL path
let pathname = `.${parsedUrl.pathname}`;
// based on the URL path, extract the file extention. e.g. .js, .doc, ...
const ext = path.parse(pathname).ext;
// maps file extention to MIME typere
const map = {
'.ico': 'image/x-icon',
'.html': 'text/html',
'.js': 'text/javascript',
'.json': 'application/json',
'.css': 'text/css',
'.png': 'image/png',
'.jpg': 'image/jpeg',
'.wav': 'audio/wav',
'.mp3': 'audio/mpeg',
'.svg': 'image/svg+xml',
'.pdf': 'application/pdf',
'.doc': 'application/msword'
fs.exists(pathname, function (exist) {
if(!exist) {
// if the file is not found, return 404
res.statusCode = 404;
res.end(`File ${pathname} not found!`);
// if is a directory search for index file matching the extention
if (fs.statSync(pathname).isDirectory()) pathname += '/index' + ext;
// read file from file system
fs.readFile(pathname, function(err, data){
res.statusCode = 500;
res.end(`Error getting the file: ${err}.`);
} else {
// if the file is found, set Content-type and send data
res.setHeader('Content-type', map[ext] || 'text/plain' );
console.log(`Server listening on port ${port}`);

Line 36 potential reflected XSS vector ( Do you intend to allow developers to use this code? If so, under what license? GPL, MIT/BSD, CC0, WTFPL? Stack overflow, from whence you linked this, uses the MIT license - is that what you intended?

SephReed commented Jul 23, 2017 edited

Hey. I've been playing with this code, and I really really like it, but there is one change I think might be super important for security reasons.

If, at any point, a user converts the pathname to something more file readable (for instance, changing %20 to spaces), then a hack becomes possible.

If someone requests something like http://localhost:8528/%20./get_me.html, the path name becomes ../get_me.html, and they can get root access.

To fix this, you can make it so the max amount of periods at the start of a filename is 1

pathname = pathname.replace(/^(\.)+/, '.');

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment