Beanz/pdf.js
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #19096 from Rob--W/test-server-hardening

Browse Source 
Fix path traversal issue in createTemporaryNodeServer
This commit is contained in:
Tim van der Meij 2024-11-24 15:30:22 +01:00 committed by GitHub
commit 8ae5b4e442
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
test/unit/test_utils.js
View File

@ -127,9 +127,23 @@ function createTemporaryNodeServer() {
const fs = process.getBuiltinModule("fs"), const fs = process.getBuiltinModule("fs"),
http = process.getBuiltinModule("http"); http = process.getBuiltinModule("http");
function isAcceptablePath(requestUrl) {
try {
// Reject unnormalized paths, to protect against path traversal attacks.
const url = new URL(requestUrl, "https://localhost/");
return url.pathname === requestUrl;
} catch {
return false;
}
}
// Create http server to serve pdf data for tests. // Create http server to serve pdf data for tests.
const server = http const server = http
.createServer((request, response) => { .createServer((request, response) => {
if (!isAcceptablePath(request.url)) {
response.writeHead(400);
response.end("Invalid path");
return;
}
const filePath = process.cwd() + "/test/pdfs" + request.url; const filePath = process.cwd() + "/test/pdfs" + request.url;
fs.promises.lstat(filePath).then( fs.promises.lstat(filePath).then(
stat => { stat => {