Fix the forbidden path checking function, and add test cases, where it would fail before the fix

2024-08-29 19:37:03 +02:00 · 2024-08-29 19:37:03 +02:00 · 41901d9a27
commit 41901d9a27
parent 9f51366515
2 changed files with 18 additions and 4 deletions
--- a/src/utils/forbiddenPaths.js
+++ b/src/utils/forbiddenPaths.js
@ -54,16 +54,23 @@ function isIndexOfForbiddenPath(decodedHref, match) {
  if (typeof forbiddenPath === "string") {
    const forbiddenPathLower = isWin32 ? forbiddenPath.toLowerCase() : null;
    return isWin32
-      ? decodedHrefLower.indexOf(forbiddenPathLower) == 0
-      : decodedHref.indexOf(forbiddenPath) == 0;
+      ? decodedHrefLower === forbiddenPathLower ||
+          decodedHrefLower.indexOf(forbiddenPathLower + "/") == 0
+      : decodedHref === forbiddenPath ||
+          decodedHref.indexOf(forbiddenPath + "/") == 0;
  }

  if (typeof forbiddenPath === "object") {
    return isWin32
      ? forbiddenPath.some(
-          (path) => decodedHrefLower.indexOf(path.toLowerCase()) == 0,
+          (path) =>
+            decodedHrefLower === path.toLowerCase() ||
+            decodedHrefLower.indexOf(path.toLowerCase() + "/") == 0,
        )
-      : forbiddenPath.some((path) => decodedHref.indexOf(path) == 0);
+      : forbiddenPath.some(
+          (path) =>
+            decodedHref === path || decodedHref.indexOf(path + "/") == 0,
+        );
  }

  return false;
--- a/tests/utils/forbiddenPaths.test.js
+++ b/tests/utils/forbiddenPaths.test.js
@ -117,6 +117,13 @@ describe("Forbidden paths handling", () => {
      expect(
        isIndexOfForbiddenPath("/notforbidden/", "serverSideScriptDirectories"),
      ).toBe(false);
+      expect(isIndexOfForbiddenPath("/config.json.fake", "config")).toBe(false);
+      expect(
+        isIndexOfForbiddenPath(
+          "/node_modules_fake/",
+          "serverSideScriptDirectories",
+        ),
+      ).toBe(false);
    });

    test("should handle case insensitivity on Windows", () => {