2020-02-19 11:14:28 +00:00
|
|
|
/* eslint-disable
|
|
|
|
no-cond-assign,
|
|
|
|
no-unused-vars,
|
2022-05-16 14:25:49 +00:00
|
|
|
n/no-deprecated-api,
|
2020-02-19 11:14:28 +00:00
|
|
|
*/
|
|
|
|
// TODO: This file was created by bulk-decaffeinate.
|
|
|
|
// Fix any style issues and re-enable lint.
|
2020-02-19 11:14:14 +00:00
|
|
|
/*
|
|
|
|
* decaffeinate suggestions:
|
|
|
|
* DS101: Remove unnecessary use of Array.from
|
|
|
|
* DS102: Remove unnecessary code created because of implicit returns
|
|
|
|
* DS207: Consider shorter variations of null checks
|
|
|
|
* Full docs: https://github.com/decaffeinate/decaffeinate/blob/master/docs/suggestions.md
|
|
|
|
*/
|
2020-02-19 11:14:37 +00:00
|
|
|
let ForbidSymlinks
|
|
|
|
const Path = require('path')
|
|
|
|
const fs = require('fs')
|
2021-07-12 16:47:21 +00:00
|
|
|
const Settings = require('@overleaf/settings')
|
2022-03-01 15:09:36 +00:00
|
|
|
const logger = require('@overleaf/logger')
|
2015-02-27 13:57:57 +00:00
|
|
|
|
2020-08-10 16:01:11 +00:00
|
|
|
module.exports = ForbidSymlinks = function (staticFn, root, options) {
|
2020-02-19 11:14:37 +00:00
|
|
|
const expressStatic = staticFn(root, options)
|
|
|
|
const basePath = Path.resolve(root)
|
2020-08-10 16:01:11 +00:00
|
|
|
return function (req, res, next) {
|
2023-03-22 11:52:39 +00:00
|
|
|
let file, projectId, result
|
2021-10-20 10:17:59 +00:00
|
|
|
const path = req.url
|
2020-02-19 11:14:37 +00:00
|
|
|
// check that the path is of the form /project_id_or_name/path/to/file.log
|
|
|
|
if ((result = path.match(/^\/?([a-zA-Z0-9_-]+)\/(.*)/))) {
|
2023-03-22 11:52:39 +00:00
|
|
|
projectId = result[1]
|
2020-02-19 11:14:37 +00:00
|
|
|
file = result[2]
|
|
|
|
} else {
|
|
|
|
logger.warn({ path }, 'unrecognized file request')
|
|
|
|
return res.sendStatus(404)
|
|
|
|
}
|
|
|
|
// check that the file does not use a relative path
|
|
|
|
for (const dir of Array.from(file.split('/'))) {
|
|
|
|
if (dir === '..') {
|
|
|
|
logger.warn({ path }, 'attempt to use a relative path')
|
|
|
|
return res.sendStatus(404)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// check that the requested path is normalized
|
2023-03-22 11:52:39 +00:00
|
|
|
const requestedFsPath = `${basePath}/${projectId}/${file}`
|
2020-02-19 11:14:37 +00:00
|
|
|
if (requestedFsPath !== Path.normalize(requestedFsPath)) {
|
|
|
|
logger.error(
|
|
|
|
{ path: requestedFsPath },
|
|
|
|
'requestedFsPath is not normalized'
|
|
|
|
)
|
|
|
|
return res.sendStatus(404)
|
|
|
|
}
|
|
|
|
// check that the requested path is not a symlink
|
2020-08-10 16:01:11 +00:00
|
|
|
return fs.realpath(requestedFsPath, function (err, realFsPath) {
|
2020-02-19 11:14:37 +00:00
|
|
|
if (err != null) {
|
|
|
|
if (err.code === 'ENOENT') {
|
|
|
|
return res.sendStatus(404)
|
|
|
|
} else {
|
|
|
|
logger.error(
|
|
|
|
{
|
|
|
|
err,
|
|
|
|
requestedFsPath,
|
|
|
|
realFsPath,
|
|
|
|
path: req.params[0],
|
2023-03-22 11:52:39 +00:00
|
|
|
projectId: req.params.project_id,
|
2020-02-19 11:14:37 +00:00
|
|
|
},
|
|
|
|
'error checking file access'
|
|
|
|
)
|
|
|
|
return res.sendStatus(500)
|
|
|
|
}
|
|
|
|
} else if (requestedFsPath !== realFsPath) {
|
|
|
|
logger.warn(
|
|
|
|
{
|
|
|
|
requestedFsPath,
|
|
|
|
realFsPath,
|
|
|
|
path: req.params[0],
|
2023-03-22 11:52:39 +00:00
|
|
|
projectId: req.params.project_id,
|
2020-02-19 11:14:37 +00:00
|
|
|
},
|
|
|
|
'trying to access a different file (symlink), aborting'
|
|
|
|
)
|
|
|
|
return res.sendStatus(404)
|
|
|
|
} else {
|
|
|
|
return expressStatic(req, res, next)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|