Mirroristas/CommunitySolidServer
2
0
Fork 0
mirror of https://github.com/CommunitySolidServer/CommunitySolidServer.git synced 2024-10-03 14:55:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Allow path segments to start with 2 or more dots

Browse Source
This commit is contained in:
Joachim Van Herwegen 2024-03-25 09:32:53 +01:00
parent 33e9ae4191
commit 6fe6b6ec89
4 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/storage/mapping/BaseFileIdentifierMapper.ts
View File

@ -205,9 +205,9 @@ export class BaseFileIdentifierMapper implements FileIdentifierMapper {
throw new BadRequestHttpError('URL needs a / after the base'); throw new BadRequestHttpError('URL needs a / after the base');
} }
if (path.includes('/..')) { if (path.includes('/../') || path.endsWith('/..')) {
this.logger.warn(`Disallowed /.. segment in URL ${identifier.path}.`); this.logger.warn(`Disallowed /../ segment in URL ${identifier.path}.`);
throw new BadRequestHttpError('Disallowed /.. segment in URL'); throw new BadRequestHttpError('Disallowed /../ segment in URL');
} }
} }

8
test/unit/storage/mapping/BaseFileIdentifierMapper.test.ts
View File

@ -22,9 +22,13 @@ describe('An BaseFileIdentifierMapper', (): void => {
}); });
it('throws 400 if the input path contains relative parts.', async(): Promise<void> => { it('throws 400 if the input path contains relative parts.', async(): Promise<void> => {
const result = mapper.mapUrlToFilePath({ path: `${base}test/../test2` }, false); let result = mapper.mapUrlToFilePath({ path: `${base}test/../test2` }, false);
await expect(result).rejects.toThrow(BadRequestHttpError); await expect(result).rejects.toThrow(BadRequestHttpError);
await expect(result).rejects.toThrow('Disallowed /.. segment in URL'); await expect(result).rejects.toThrow('Disallowed /../ segment in URL');
result = mapper.mapUrlToFilePath({ path: `${base}test/..` }, false);
await expect(result).rejects.toThrow(BadRequestHttpError);
await expect(result).rejects.toThrow('Disallowed /../ segment in URL');
}); });
it('returns the corresponding file path for container identifiers.', async(): Promise<void> => { it('returns the corresponding file path for container identifiers.', async(): Promise<void> => {

2
test/unit/storage/mapping/ExtensionBasedMapper.test.ts
View File

@ -38,7 +38,7 @@ describe('An ExtensionBasedMapper', (): void => {
it('throws 400 if the input path contains relative parts.', async(): Promise<void> => { it('throws 400 if the input path contains relative parts.', async(): Promise<void> => {
const result = mapper.mapUrlToFilePath({ path: `${base}test/../test2` }, false); const result = mapper.mapUrlToFilePath({ path: `${base}test/../test2` }, false);
await expect(result).rejects.toThrow(BadRequestHttpError); await expect(result).rejects.toThrow(BadRequestHttpError);
await expect(result).rejects.toThrow('Disallowed /.. segment in URL'); await expect(result).rejects.toThrow('Disallowed /../ segment in URL');
}); });
it('returns the corresponding file path for container identifiers.', async(): Promise<void> => { it('returns the corresponding file path for container identifiers.', async(): Promise<void> => {

2
test/unit/storage/mapping/FixedContentTypeMapper.test.ts
View File

@ -25,7 +25,7 @@ describe('An FixedContentTypeMapper', (): void => {
it('throws 400 if the input path contains relative parts.', async(): Promise<void> => { it('throws 400 if the input path contains relative parts.', async(): Promise<void> => {
const result = mapper.mapUrlToFilePath({ path: `${base}test/../test2` }, false); const result = mapper.mapUrlToFilePath({ path: `${base}test/../test2` }, false);
await expect(result).rejects.toThrow(BadRequestHttpError); await expect(result).rejects.toThrow(BadRequestHttpError);
await expect(result).rejects.toThrow('Disallowed /.. segment in URL'); await expect(result).rejects.toThrow('Disallowed /../ segment in URL');
}); });
it('returns the corresponding file path for container identifiers.', async(): Promise<void> => { it('returns the corresponding file path for container identifiers.', async(): Promise<void> => {