DorianNiemiecSVRJS/svrjs
Archived
1
0
Fork 0
forked from svrjs/svrjs
Code Pull requests Activity

Lint out the codebase.

Browse source
This commit is contained in:
Dorian Niemiec 2024-08-24 17:46:55 +02:00
parent 67fec5fe98
commit 519988fbdb
1 changed files with 146 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

219
src/middleware/checkForbiddenPaths.js
View file

@ -3,108 +3,181 @@ const path = require("path");
// Function to get URL path for use in forbidden path adding. // Function to get URL path for use in forbidden path adding.
function getInitializePath(to) { function getInitializePath(to) {
var cwd = process.cwd(); var cwd = process.cwd();
if (os.platform() == "win32") { if (os.platform() == "win32") {
to = to.replace(/\//g, "\\"); to = to.replace(/\//g, "\\");
if (to[0] == "\\") to = cwd.split("\\")[0] + to; if (to[0] == "\\") to = cwd.split("\\")[0] + to;
}
var absoluteTo = path.isAbsolute(to) ? to : (__dirname + (os.platform() == "win32" ? "\\" : "/") + to);
if (os.platform() == "win32" && cwd[0] != absoluteTo[0]) return "";
var relative = path.relative(cwd, absoluteTo);
if (os.platform() == "win32") {
return "/" + relative.replace(/\\/g, "/");
} else {
return "/" + relative;
}
} }
var absoluteTo = path.isAbsolute(to)
// Function to check if URL path name is a forbidden path. ? to
function isForbiddenPath(decodedHref, match) { : __dirname + (os.platform() == "win32" ? "\\" : "/") + to;
var forbiddenPath = forbiddenPaths[match]; if (os.platform() == "win32" && cwd[0] != absoluteTo[0]) return "";
if (!forbiddenPath) return false; var relative = path.relative(cwd, absoluteTo);
if (typeof forbiddenPath === "string") { if (os.platform() == "win32") {
return decodedHref === forbiddenPath || (os.platform() === "win32" && decodedHref.toLowerCase() === forbiddenPath.toLowerCase()); return "/" + relative.replace(/\\/g, "/");
} } else {
if (typeof forbiddenPath === "object") { return "/" + relative;
return forbiddenPath.some(function (forbiddenPathSingle) {
return (decodedHref === forbiddenPathSingle || (os.platform() === "win32" && decodedHref.toLowerCase() === forbiddenPathSingle.toLowerCase()));
});
}
return false;
} }
}
// Function to check if URL path name is index of one of defined forbidden paths.
function isIndexOfForbiddenPath(decodedHref, match) { // Function to check if URL path name is a forbidden path.
var forbiddenPath = forbiddenPaths[match]; function isForbiddenPath(decodedHref, match) {
if (!forbiddenPath) return false; var forbiddenPath = forbiddenPaths[match];
if (typeof forbiddenPath === "string") { if (!forbiddenPath) return false;
return decodedHref === forbiddenPath || decodedHref.indexOf(forbiddenPath + "/") === 0 || (os.platform() === "win32" && (decodedHref.toLowerCase() === forbiddenPath.toLowerCase() || decodedHref.toLowerCase().indexOf(forbiddenPath.toLowerCase() + "/") === 0)); if (typeof forbiddenPath === "string") {
} return (
if (typeof forbiddenPath === "object") { decodedHref === forbiddenPath ||
return forbiddenPath.some(function (forbiddenPathSingle) { (os.platform() === "win32" &&
return (decodedHref === forbiddenPathSingle || decodedHref.indexOf(forbiddenPathSingle + "/") === 0 || (os.platform() === "win32" && (decodedHref.toLowerCase() === forbiddenPathSingle.toLowerCase() || decodedHref.toLowerCase().indexOf(forbiddenPathSingle.toLowerCase() + "/") === 0))); decodedHref.toLowerCase() === forbiddenPath.toLowerCase())
}); );
}
return false;
} }
if (typeof forbiddenPath === "object") {
// Set up forbidden paths return forbiddenPath.some(function (forbiddenPathSingle) {
var forbiddenPaths = {}; return (
decodedHref === forbiddenPathSingle ||
forbiddenPaths.config = getInitializePath("./config.json"); (os.platform() === "win32" &&
forbiddenPaths.certificates = []; decodedHref.toLowerCase() === forbiddenPathSingle.toLowerCase())
if (process.serverConfig.secure) { );
forbiddenPaths.certificates.push(getInitializePath(configJSON.cert));
forbiddenPaths.certificates.push(getInitializePath(configJSON.key));
Object.keys(sni).forEach(function (sniHostName) {
forbiddenPaths.certificates.push(getInitializePath(sni[sniHostName].cert));
forbiddenPaths.certificates.push(getInitializePath(sni[sniHostName].key));
}); });
} }
forbiddenPaths.svrjs = getInitializePath("./" + ((__dirname[__dirname.length - 1] != "/") ? __filename.replace(__dirname + "/", "") : __filename.replace(__dirname, ""))); return false;
forbiddenPaths.serverSideScripts = []; }
if (process.serverConfig.useWebRootServerSideScript) {
forbiddenPaths.serverSideScripts.push("/serverSideScript.js");
} else {
forbiddenPaths.serverSideScripts.push(getInitializePath("./serverSideScript.js"));
}
forbiddenPaths.serverSideScriptDirectories = [];
forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./node_modules"));
forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./mods"));
forbiddenPaths.temp = getInitializePath("./temp");
forbiddenPaths.log = getInitializePath("./log");
// Function to check if URL path name is index of one of defined forbidden paths.
function isIndexOfForbiddenPath(decodedHref, match) {
var forbiddenPath = forbiddenPaths[match];
if (!forbiddenPath) return false;
if (typeof forbiddenPath === "string") {
return (
decodedHref === forbiddenPath ||
decodedHref.indexOf(forbiddenPath + "/") === 0 ||
(os.platform() === "win32" &&
(decodedHref.toLowerCase() === forbiddenPath.toLowerCase() ||
decodedHref
.toLowerCase()
.indexOf(forbiddenPath.toLowerCase() + "/") === 0))
);
}
if (typeof forbiddenPath === "object") {
return forbiddenPath.some(function (forbiddenPathSingle) {
return (
decodedHref === forbiddenPathSingle ||
decodedHref.indexOf(forbiddenPathSingle + "/") === 0 ||
(os.platform() === "win32" &&
(decodedHref.toLowerCase() === forbiddenPathSingle.toLowerCase() ||
decodedHref
.toLowerCase()
.indexOf(forbiddenPathSingle.toLowerCase() + "/") === 0))
);
});
}
return false;
}
// Set up forbidden paths
var forbiddenPaths = {};
forbiddenPaths.config = getInitializePath("./config.json");
forbiddenPaths.certificates = [];
if (process.serverConfig.secure) {
forbiddenPaths.certificates.push(
getInitializePath(process.serverConfig.cert),
);
forbiddenPaths.certificates.push(getInitializePath(process.serverConfig.key));
Object.keys(process.serverConfig.sni).forEach(function (sniHostname) {
forbiddenPaths.certificates.push(
getInitializePath(process.serverConfig.sni[sniHostname].cert),
);
forbiddenPaths.certificates.push(
getInitializePath(process.serverConfig.sni[sniHostname].key),
);
});
}
forbiddenPaths.svrjs = getInitializePath(
"./" +
(__dirname[__dirname.length - 1] != "/"
? __filename.replace(__dirname + "/", "")
: __filename.replace(__dirname, "")),
);
forbiddenPaths.serverSideScripts = [];
if (process.serverConfig.useWebRootServerSideScript) {
forbiddenPaths.serverSideScripts.push("/serverSideScript.js");
} else {
forbiddenPaths.serverSideScripts.push(
getInitializePath("./serverSideScript.js"),
);
}
forbiddenPaths.serverSideScriptDirectories = [];
forbiddenPaths.serverSideScriptDirectories.push(
getInitializePath("./node_modules"),
);
forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./mods"));
forbiddenPaths.temp = getInitializePath("./temp");
forbiddenPaths.log = getInitializePath("./log");
module.exports = (req, res, logFacilities, config, next) => { module.exports = (req, res, logFacilities, config, next) => {
let decodedHrefWithoutDuplicateSlashes = ""; let decodedHrefWithoutDuplicateSlashes = "";
try { try {
decodedHrefWithoutDuplicateSlashes = decodeURIComponent(req.parsedURL.pathname).replace(/\/+/g,"/"); decodedHrefWithoutDuplicateSlashes = decodeURIComponent(
req.parsedURL.pathname,
).replace(/\/+/g, "/");
} catch (err) { } catch (err) {
res.error(400); res.error(400);
} }
// Check if path is forbidden // Check if path is forbidden
if ((isForbiddenPath(decodedHrefWithoutDuplicateSlashes, "config") || isForbiddenPath(decodedHrefWithoutDuplicateSlashes, "certificates")) && !req.isProxy) { if (
(isForbiddenPath(decodedHrefWithoutDuplicateSlashes, "config") ||
isForbiddenPath(decodedHrefWithoutDuplicateSlashes, "certificates")) &&
!req.isProxy
) {
res.error(403); res.error(403);
logFacilities.errmessage("Access to configuration file/certificates is denied."); logFacilities.errmessage(
"Access to configuration file/certificates is denied.",
);
return; return;
} else if (isIndexOfForbiddenPath(decodedHrefWithoutDuplicateSlashes, "temp") && !isProxy) { } else if (
isIndexOfForbiddenPath(decodedHrefWithoutDuplicateSlashes, "temp") &&
!req.isProxy
) {
res.error(403); res.error(403);
logFacilities.errmessage("Access to temporary folder is denied."); logFacilities.errmessage("Access to temporary folder is denied.");
return; return;
} else if (isIndexOfForbiddenPath(decodedHrefWithoutDuplicateSlashes, "log") && !isProxy && (config.enableLogging || config.enableLogging == undefined) && !config.enableRemoteLogBrowsing) { } else if (
isIndexOfForbiddenPath(decodedHrefWithoutDuplicateSlashes, "log") &&
!req.isProxy &&
(config.enableLogging || config.enableLogging == undefined) &&
!config.enableRemoteLogBrowsing
) {
res.error(403); res.error(403);
logFacilities.errmessage("Access to log files is denied."); logFacilities.errmessage("Access to log files is denied.");
return; return;
} else if (isForbiddenPath(decodedHrefWithoutDuplicateSlashes, "svrjs") && !isProxy && !exposeServerVersion) { } else if (
isForbiddenPath(decodedHrefWithoutDuplicateSlashes, "svrjs") &&
!req.isProxy &&
!config.exposeServerVersion
) {
res.error(403); res.error(403);
logFacilities.errmessage("Access to SVR.JS script is denied."); logFacilities.errmessage("Access to SVR.JS script is denied.");
return; return;
} else if ((isForbiddenPath(decodedHrefWithoutDuplicateSlashes, "svrjs") || isForbiddenPath(decodedHrefWithoutDuplicateSlashes, "serverSideScripts") || isIndexOfForbiddenPath(decodedHrefWithoutDuplicateSlashes, "serverSideScriptDirectories")) && !isProxy && (config.disableServerSideScriptExpose || config.disableServerSideScriptExpose === undefined)) { } else if (
(isForbiddenPath(decodedHrefWithoutDuplicateSlashes, "svrjs") ||
isForbiddenPath(
decodedHrefWithoutDuplicateSlashes,
"serverSideScripts",
) ||
isIndexOfForbiddenPath(
decodedHrefWithoutDuplicateSlashes,
"serverSideScriptDirectories",
)) &&
!req.isProxy &&
(config.disableServerSideScriptExpose ||
config.disableServerSideScriptExpose === undefined)
) {
res.error(403); res.error(403);
logFacilities.errmessage("Access to sources is denied."); logFacilities.errmessage("Access to sources is denied.");
return; return;
} }
next(); next();
} };