mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-21 20:47:08 -05:00
Check file is not a symlink before returning it
This commit is contained in:
parent
49b7cdc854
commit
2647eb0ec7
1 changed files with 20 additions and 2 deletions
|
@ -5,6 +5,7 @@ logger.initialize("clsi")
|
||||||
smokeTest = require "smoke-test-sharelatex"
|
smokeTest = require "smoke-test-sharelatex"
|
||||||
|
|
||||||
Path = require "path"
|
Path = require "path"
|
||||||
|
fs = require "fs"
|
||||||
|
|
||||||
Metrics = require "metrics-sharelatex"
|
Metrics = require "metrics-sharelatex"
|
||||||
Metrics.initialize("clsi")
|
Metrics.initialize("clsi")
|
||||||
|
@ -49,7 +50,24 @@ staticServer = express.static Settings.path.compilesDir, setHeaders: (res, path,
|
||||||
# that could be used in same-origin/XSS attacks.
|
# that could be used in same-origin/XSS attacks.
|
||||||
res.set("Content-Type", "text/plain")
|
res.set("Content-Type", "text/plain")
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
app.get "/project/:project_id/output/*", (req, res, next) ->
|
app.get "/project/:project_id/output/*", (req, res, next) ->
|
||||||
|
basePath = Path.resolve("#{Settings.path.compilesDir}/#{req.params.project_id}")
|
||||||
|
path = Path.normalize("#{basePath}/#{req.params[0]}")
|
||||||
|
if path.slice(0, basePath.length) != basePath
|
||||||
|
logger.warn path: req.params[0], project_id: req.params.project_id, "trying to leave project directory, aborting"
|
||||||
|
res.send(404)
|
||||||
|
return
|
||||||
|
fs.lstat path, (error, stats) ->
|
||||||
|
if error?
|
||||||
|
if error.code == "ENOENT"
|
||||||
|
error.statusCode = 404
|
||||||
|
return next(error)
|
||||||
|
if stats.isSymbolicLink()
|
||||||
|
error = new Error("file is a symlink")
|
||||||
|
error.statusCode = 404
|
||||||
|
return next(error)
|
||||||
req.url = "/#{req.params.project_id}/#{req.params[0]}"
|
req.url = "/#{req.params.project_id}/#{req.params[0]}"
|
||||||
staticServer(req, res, next)
|
staticServer(req, res, next)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue