Check file is not a symlink before returning it

This commit is contained in:
James Allen 2014-12-04 22:07:37 +00:00
parent 49b7cdc854
commit 2647eb0ec7

View file

@ -5,6 +5,7 @@ logger.initialize("clsi")
smokeTest = require "smoke-test-sharelatex" smokeTest = require "smoke-test-sharelatex"
Path = require "path" Path = require "path"
fs = require "fs"
Metrics = require "metrics-sharelatex" Metrics = require "metrics-sharelatex"
Metrics.initialize("clsi") Metrics.initialize("clsi")
@ -49,7 +50,24 @@ staticServer = express.static Settings.path.compilesDir, setHeaders: (res, path,
# that could be used in same-origin/XSS attacks. # that could be used in same-origin/XSS attacks.
res.set("Content-Type", "text/plain") res.set("Content-Type", "text/plain")
app.get "/project/:project_id/output/*", (req, res, next) -> app.get "/project/:project_id/output/*", (req, res, next) ->
basePath = Path.resolve("#{Settings.path.compilesDir}/#{req.params.project_id}")
path = Path.normalize("#{basePath}/#{req.params[0]}")
if path.slice(0, basePath.length) != basePath
logger.warn path: req.params[0], project_id: req.params.project_id, "trying to leave project directory, aborting"
res.send(404)
return
fs.lstat path, (error, stats) ->
if error?
if error.code == "ENOENT"
error.statusCode = 404
return next(error)
if stats.isSymbolicLink()
error = new Error("file is a symlink")
error.statusCode = 404
return next(error)
req.url = "/#{req.params.project_id}/#{req.params[0]}" req.url = "/#{req.params.project_id}/#{req.params[0]}"
staticServer(req, res, next) staticServer(req, res, next)