gwicke/gist:bf7e32b6631a4a85be6c Secret

## gistfile1.txt
commit 8462979618f674bbd5db25e6f7fec88a25ceb422
Author: Gabriel Wicke <gwicke@wikimedia.org>
Date:   Sun Jan 17 00:51:48 2016 -0800

    Make sure relative paths are disallowed in swagger-ui resource end point

    Deny access if a relative path was specified for swagger-ui resources.

diff --git a/lib/swaggerUI.js b/lib/swaggerUI.js
index afb13e2..cbfdd3f 100644
--- a/lib/swaggerUI.js
+++ b/lib/swaggerUI.js
@@ -7,11 +7,19 @@ var path = require('path');
 var docRoot = require('swagger-ui').dist + '/';

 function staticServe(restbase, req) {
-    // Expand any relative paths for security
-    var filePath = req.query.path.replace(/\.\.\//g, '');
-    return fs.readFileAsync(docRoot + filePath, 'utf8')
+    var reqPath = req.query.path;
+
+    var filePath = path.join(docRoot, reqPath);
+
+    // Disallow relative paths.
+    // Test relies on docRoot ending on a slash.
+    if (filePath.substring(0, docRoot.length) !== docRoot) {
+        throw new Error("Invalid path.");
+    }
+
+    return fs.readFileAsync(filePath, 'utf8')
     .then(function(body) {
-        if (filePath === '/index.html') {
+        if (reqPath === '/index.html') {
             // Rewrite the HTML to use a query string
             body = body.replace(/((?:src|href)=['"])/g, '$1?doc=&path=')
                 // Some self-promotion
@@ -27,14 +35,14 @@ function staticServe(restbase, req) {
         }

         var contentType = 'text/html';
-        if (/\.js$/.test(filePath)) {
+        if (/\.js$/.test(reqPath)) {
             contentType = 'text/javascript';
             body = body.replace(/underscore\-min\.map/, '?doc=&path=lib/underscore-min.map');
-        } else if (/\.png/.test(filePath)) {
+        } else if (/\.png/.test(reqPath)) {
             contentType = 'image/png';
-        } else if (/\.map$/.test(filePath)) {
+        } else if (/\.map$/.test(reqPath)) {
             contentType = 'application/json';
-        } else if (/\.css/.test(filePath)) {
+        } else if (/\.css/.test(reqPath)) {
             contentType = 'text/css';
             body = body.replace(/\.\.\/(images|fonts)\//g, '?doc&path=$1/');
         }
	commit 8462979618f674bbd5db25e6f7fec88a25ceb422
	Author: Gabriel Wicke <gwicke@wikimedia.org>
	Date: Sun Jan 17 00:51:48 2016 -0800

	Make sure relative paths are disallowed in swagger-ui resource end point

	Deny access if a relative path was specified for swagger-ui resources.

	diff --git a/lib/swaggerUI.js b/lib/swaggerUI.js
	index afb13e2..cbfdd3f 100644
	--- a/lib/swaggerUI.js
	+++ b/lib/swaggerUI.js
	@@ -7,11 +7,19 @@ var path = require('path');
	var docRoot = require('swagger-ui').dist + '/';

	function staticServe(restbase, req) {
	- // Expand any relative paths for security
	- var filePath = req.query.path.replace(/\.\.\//g, '');
	- return fs.readFileAsync(docRoot + filePath, 'utf8')
	+ var reqPath = req.query.path;
	+
	+ var filePath = path.join(docRoot, reqPath);
	+
	+ // Disallow relative paths.
	+ // Test relies on docRoot ending on a slash.
	+ if (filePath.substring(0, docRoot.length) !== docRoot) {
	+ throw new Error("Invalid path.");
	+ }
	+
	+ return fs.readFileAsync(filePath, 'utf8')
	.then(function(body) {
	- if (filePath === '/index.html') {
	+ if (reqPath === '/index.html') {
	// Rewrite the HTML to use a query string
	body = body.replace(/((?:src\|href)=['"])/g, '$1?doc=&path=')
	// Some self-promotion
	@@ -27,14 +35,14 @@ function staticServe(restbase, req) {
	}

	var contentType = 'text/html';
	- if (/\.js$/.test(filePath)) {
	+ if (/\.js$/.test(reqPath)) {
	contentType = 'text/javascript';
	body = body.replace(/underscore\-min\.map/, '?doc=&path=lib/underscore-min.map');
	- } else if (/\.png/.test(filePath)) {
	+ } else if (/\.png/.test(reqPath)) {
	contentType = 'image/png';
	- } else if (/\.map$/.test(filePath)) {
	+ } else if (/\.map$/.test(reqPath)) {
	contentType = 'application/json';
	- } else if (/\.css/.test(filePath)) {
	+ } else if (/\.css/.test(reqPath)) {
	contentType = 'text/css';
	body = body.replace(/\.\.\/(images\|fonts)\//g, '?doc&path=$1/');
	}