From 41901d9a27b46d39deaf7ce998bd57dc619e20ce Mon Sep 17 00:00:00 2001 From: Dorian Niemiec Date: Thu, 29 Aug 2024 19:37:03 +0200 Subject: [PATCH] Fix the forbidden path checking function, and add test cases, where it would fail before the fix --- src/utils/forbiddenPaths.js | 15 +++++++++++---- tests/utils/forbiddenPaths.test.js | 7 +++++++ 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/src/utils/forbiddenPaths.js b/src/utils/forbiddenPaths.js index d2d4007..e836e25 100644 --- a/src/utils/forbiddenPaths.js +++ b/src/utils/forbiddenPaths.js @@ -54,16 +54,23 @@ function isIndexOfForbiddenPath(decodedHref, match) { if (typeof forbiddenPath === "string") { const forbiddenPathLower = isWin32 ? forbiddenPath.toLowerCase() : null; return isWin32 - ? decodedHrefLower.indexOf(forbiddenPathLower) == 0 - : decodedHref.indexOf(forbiddenPath) == 0; + ? decodedHrefLower === forbiddenPathLower || + decodedHrefLower.indexOf(forbiddenPathLower + "/") == 0 + : decodedHref === forbiddenPath || + decodedHref.indexOf(forbiddenPath + "/") == 0; } if (typeof forbiddenPath === "object") { return isWin32 ? forbiddenPath.some( - (path) => decodedHrefLower.indexOf(path.toLowerCase()) == 0, + (path) => + decodedHrefLower === path.toLowerCase() || + decodedHrefLower.indexOf(path.toLowerCase() + "/") == 0, ) - : forbiddenPath.some((path) => decodedHref.indexOf(path) == 0); + : forbiddenPath.some( + (path) => + decodedHref === path || decodedHref.indexOf(path + "/") == 0, + ); } return false; diff --git a/tests/utils/forbiddenPaths.test.js b/tests/utils/forbiddenPaths.test.js index 3261428..1badecb 100644 --- a/tests/utils/forbiddenPaths.test.js +++ b/tests/utils/forbiddenPaths.test.js @@ -117,6 +117,13 @@ describe("Forbidden paths handling", () => { expect( isIndexOfForbiddenPath("/notforbidden/", "serverSideScriptDirectories"), ).toBe(false); + expect(isIndexOfForbiddenPath("/config.json.fake", "config")).toBe(false); + expect( + isIndexOfForbiddenPath( + "/node_modules_fake/", + "serverSideScriptDirectories", + ), + ).toBe(false); }); test("should handle case insensitivity on Windows", () => {