Dangerous example
Opened this issue · 1 comments
bitdivine commented
The example server.js:
var staticHandler = function(request, response) {
var path = request.url;
fs.readFile(__dirname + path, function(err, content) {
doesn't validate the url, so there is nothing stopping it from being e.g. /../spec/server.key
(given a few lines later). Given that people are likely to copy the example, setting a safe precedent might be a good idea! :-)
jcoglan commented
That's a really good point, I don't want people to put that code in production. Is there a library for automatically sanitising the path? Otherwise I could add something like this to detect path traversal:
if (/(^|\/)\.\.?(\/|$)/.test(path)) {
// reject request
}
I don't like how opaque that regex is but I also want to make this code safe.