-
-
Save gwicke/bf7e32b6631a4a85be6c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 8462979618f674bbd5db25e6f7fec88a25ceb422 | |
Author: Gabriel Wicke <gwicke@wikimedia.org> | |
Date: Sun Jan 17 00:51:48 2016 -0800 | |
Make sure relative paths are disallowed in swagger-ui resource end point | |
Deny access if a relative path was specified for swagger-ui resources. | |
diff --git a/lib/swaggerUI.js b/lib/swaggerUI.js | |
index afb13e2..cbfdd3f 100644 | |
--- a/lib/swaggerUI.js | |
+++ b/lib/swaggerUI.js | |
@@ -7,11 +7,19 @@ var path = require('path'); | |
var docRoot = require('swagger-ui').dist + '/'; | |
function staticServe(restbase, req) { | |
- // Expand any relative paths for security | |
- var filePath = req.query.path.replace(/\.\.\//g, ''); | |
- return fs.readFileAsync(docRoot + filePath, 'utf8') | |
+ var reqPath = req.query.path; | |
+ | |
+ var filePath = path.join(docRoot, reqPath); | |
+ | |
+ // Disallow relative paths. | |
+ // Test relies on docRoot ending on a slash. | |
+ if (filePath.substring(0, docRoot.length) !== docRoot) { | |
+ throw new Error("Invalid path."); | |
+ } | |
+ | |
+ return fs.readFileAsync(filePath, 'utf8') | |
.then(function(body) { | |
- if (filePath === '/index.html') { | |
+ if (reqPath === '/index.html') { | |
// Rewrite the HTML to use a query string | |
body = body.replace(/((?:src|href)=['"])/g, '$1?doc=&path=') | |
// Some self-promotion | |
@@ -27,14 +35,14 @@ function staticServe(restbase, req) { | |
} | |
var contentType = 'text/html'; | |
- if (/\.js$/.test(filePath)) { | |
+ if (/\.js$/.test(reqPath)) { | |
contentType = 'text/javascript'; | |
body = body.replace(/underscore\-min\.map/, '?doc=&path=lib/underscore-min.map'); | |
- } else if (/\.png/.test(filePath)) { | |
+ } else if (/\.png/.test(reqPath)) { | |
contentType = 'image/png'; | |
- } else if (/\.map$/.test(filePath)) { | |
+ } else if (/\.map$/.test(reqPath)) { | |
contentType = 'application/json'; | |
- } else if (/\.css/.test(filePath)) { | |
+ } else if (/\.css/.test(reqPath)) { | |
contentType = 'text/css'; | |
body = body.replace(/\.\.\/(images|fonts)\//g, '?doc&path=$1/'); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment