[thrift] branch master updated: Thrift-4647: Node.js Filesever webroot fixed path

[jking]

This is an automated email from the ASF dual-hosted git repository.

jking pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/thrift.git


The following commit(s) were added to refs/heads/master by this push:
     new 2a2b72f  Thrift-4647: Node.js Filesever webroot fixed path
2a2b72f is described below

commit 2a2b72f6c8aef200ecee4984f011e06052288ff2
Author: jfarrell <jfarr...@apache.org>
AuthorDate: Thu Oct 4 23:00:28 2018 -0400

    Thrift-4647: Node.js Filesever webroot fixed path
    
    Updates the node.js fileserver to have a fixed based webroot which can
    not be escaped by end users.
---
 lib/js/test/server_http.js          |  2 +-
 lib/js/test/server_https.js         |  2 +-
 lib/nodejs/lib/thrift/web_server.js | 10 +++++++++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/lib/js/test/server_http.js b/lib/js/test/server_http.js
index d04f578..8380c3a 100644
--- a/lib/js/test/server_http.js
+++ b/lib/js/test/server_http.js
@@ -42,7 +42,7 @@ const ThriftTestSvcOpt = {
 };
 
 const ThriftWebServerOptions = {
-       files: '.',
+       files: __dirname,
        services: {
                '/service': ThriftTestSvcOpt
        }
diff --git a/lib/js/test/server_https.js b/lib/js/test/server_https.js
index 504f3b5..1a171dd 100644
--- a/lib/js/test/server_https.js
+++ b/lib/js/test/server_https.js
@@ -42,7 +42,7 @@ const ThriftTestSvcOpt = {
 };
 
 const ThriftWebServerOptions = {
-  files: '.',
+  files: __dirname,
   tls: {
      key: fs.readFileSync('../../../test/keys/server.key'),
      cert: fs.readFileSync('../../../test/keys/server.crt')
diff --git a/lib/nodejs/lib/thrift/web_server.js 
b/lib/nodejs/lib/thrift/web_server.js
index 0093c8a..a33f47a 100644
--- a/lib/nodejs/lib/thrift/web_server.js
+++ b/lib/nodejs/lib/thrift/web_server.js
@@ -415,7 +415,15 @@ exports.createWebServer = function(options) {
 
     //Locate the file requested and send it
     var uri = url.parse(request.url).pathname;
-    var filename = path.join(baseDir, uri);
+    var filename = path.resolve(path.join(baseDir, uri));
+
+    //Ensure the basedir path is not able to be escaped
+    if (filename.indexOf(baseDir) != 0) {
+      response.writeHead(400, "Invalid request path", {});
+      response.end();
+      return;
+    }
+
     fs.exists(filename, function(exists) {
       if(!exists) {
         response.writeHead(404);