[Bug] Can render specific files at any path outside the root dir
21k opened this issue · 2 comments
21k commented
if (isHtml(suffix) && !map) {
return send(ctx, paths.rel, {
root: path
})
} else {
const engineName = map && map[suffix] ? map[suffix] : suffix
const render = engineSource[engineName]
if (!engineName || !render)
return Promise.reject(
new Error(`Engine not found for the ".${suffix}" file extension`)
)
return render(resolve(path, paths.rel), state).then(html => {
...
})
}- If the file is html
it uses send function, which is in package koa-send, https://github.com/koajs/send/blob/master/index.js#L81
which uses resolve-path to parse the rootPath and the relPath, in code https://github.com/pillarjs/resolve-path/blob/master/index.js#L82, it handles the path outside root case ,so it's safe.
var UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/
// path outside root
if (UP_PATH_REGEXP.test(normalize('.' + sep + path))) {
throw createError(403)
}- If the file is other
the code is https://github.com/queckezz/koa-views/blob/master/src/index.js#L49
it uses map or consolidate, if map is not set, the render will be consolidate[file_ suffix], at last it uses resolve in node path package to handle the rootPath and the relPath, there is no crontrol of path outside root, the problem is here, thus if the render engine exists, such file can be rendered, for examples:
http://127.0.0.1:7000/doc/..%2F..%2F..%2F..%2Fnode_modules%2Fkoa-views%2Ftest%2Ffixtures%2Fbasic.ejs
http://127.0.0.1:7000/doc?file=../../../../node_modules/koa-views/test/fixtures/basic.ejs
int64ago commented
Nice catch! I'll fix it later.