svrjs/svrjs-blog
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Activity Actions

Change regular expression for "poor mans" URL sanitizer

Browse source
This commit is contained in:
Dorian Niemiec 2024-03-31 17:59:15 +02:00
parent eac2bc9799
commit 1bb02da4fc
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
source/_posts/How-to-create-static-HTTP-server-in-Node-JS.md
View file

@ -147,7 +147,7 @@ But we have introduced path traversal vulnerability! (being able to access file
var server = http.createServer(function (req, res) { var server = http.createServer(function (req, res) {
var filename = "." + req.url; var filename = "." + req.url;
if(req.url == "/") filename = "./index.html"; if(req.url == "/") filename = "./index.html";
filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.?(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer
fs.readFile(filename, function(err, data) { fs.readFile(filename, function(err, data) {
if(err) { if(err) {
if(err.code == "ENOENT") { if(err.code == "ENOENT") {
@ -185,7 +185,7 @@ That might work fine for HTML files, but if you try other files, there will be c
var server = http.createServer(function (req, res) { var server = http.createServer(function (req, res) {
var filename = "." + req.url; var filename = "." + req.url;
if(req.url == "/") filename = "./index.html"; if(req.url == "/") filename = "./index.html";
filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.?(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer
var ext = path.extname(filename).substr(1); //path.extname gives "." character, so we're using substr(1) method. var ext = path.extname(filename).substr(1); //path.extname gives "." character, so we're using substr(1) method.
fs.readFile(filename, function(err, data) { fs.readFile(filename, function(err, data) {
if(err) { if(err) {
@ -225,7 +225,7 @@ But with query strings, it will fail. To prevent that, we'll be using WHATWG URL
var urlObject = new URL(req.url, "http://localhost"); var urlObject = new URL(req.url, "http://localhost");
var filename = "." + urlObject.pathname; var filename = "." + urlObject.pathname;
if(req.url == "/") filename = "./index.html"; if(req.url == "/") filename = "./index.html";
filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.?(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer
var ext = path.extname(filename).substr(1); //path.extname gives "." character, so we're using substr(1) method. var ext = path.extname(filename).substr(1); //path.extname gives "." character, so we're using substr(1) method.
fs.readFile(filename, function(err, data) { fs.readFile(filename, function(err, data) {
if(err) { if(err) {
@ -275,7 +275,7 @@ It's nearly finished! But encoded URLs will not work. To fix that, we will use `
return; return;
} }
if(req.url == "/") filename = "./index.html"; if(req.url == "/") filename = "./index.html";
filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer filename = filename.replace(/\\/g,"/").replace(/(?:\/|^)\.\.?(?=(\/|$))/g,"$1").replace(/\/+/g,"/"); //Poor mans URL sanitizer
var ext = path.extname(filename).substr(1); //path.extname gives "." character, so we're using substr(1) method. var ext = path.extname(filename).substr(1); //path.extname gives "." character, so we're using substr(1) method.
fs.readFile(filename, function(err, data) { fs.readFile(filename, function(err, data) {
if(err) { if(err) {