From 1273a05ad49252559a4810ea960c06783a372aaa Mon Sep 17 00:00:00 2001
From: Brian Gough <bjg@network-theory.co.uk>
Date: Tue, 21 Mar 2017 11:30:32 +0000
Subject: [PATCH] fix path match

---
 services/clsi/app/coffee/ResourceWriter.coffee            | 2 +-
 services/clsi/test/unit/coffee/ResourceWriterTests.coffee | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/services/clsi/app/coffee/ResourceWriter.coffee b/services/clsi/app/coffee/ResourceWriter.coffee
index 8c3245f312..2bf6598012 100644
--- a/services/clsi/app/coffee/ResourceWriter.coffee
+++ b/services/clsi/app/coffee/ResourceWriter.coffee
@@ -90,7 +90,7 @@ module.exports = ResourceWriter =
 
 	checkPath: (basePath, resourcePath, callback) ->
 		path = Path.normalize(Path.join(basePath, resourcePath))
-		if (path.slice(0, basePath.length) != basePath)
+		if (path.slice(0, basePath.length + 1) != basePath + "/")
 			return callback new Error("resource path is outside root directory")
 		else
 			return callback(null, path)
diff --git a/services/clsi/test/unit/coffee/ResourceWriterTests.coffee b/services/clsi/test/unit/coffee/ResourceWriterTests.coffee
index c3c25cc23c..96140c9883 100644
--- a/services/clsi/test/unit/coffee/ResourceWriterTests.coffee
+++ b/services/clsi/test/unit/coffee/ResourceWriterTests.coffee
@@ -173,3 +173,11 @@ describe "ResourceWriter", ->
 			it "should return an error", ->
 				@callback.calledWith(new Error("resource path is outside root directory"))
 				.should.equal true
+
+		describe "with another invalid path matching on a prefix", ->
+			beforeEach ->
+				@ResourceWriter.checkPath("foo", "../foobar/baz", @callback)
+
+			it "should return an error", ->
+				@callback.calledWith(new Error("resource path is outside root directory"))
+				.should.equal true