mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-21 20:47:08 -05:00
Check file is not a symlink before returning it
This commit is contained in:
parent
49b7cdc854
commit
2647eb0ec7
1 changed files with 20 additions and 2 deletions
|
@ -5,6 +5,7 @@ logger.initialize("clsi")
|
|||
smokeTest = require "smoke-test-sharelatex"
|
||||
|
||||
Path = require "path"
|
||||
fs = require "fs"
|
||||
|
||||
Metrics = require "metrics-sharelatex"
|
||||
Metrics.initialize("clsi")
|
||||
|
@ -49,7 +50,24 @@ staticServer = express.static Settings.path.compilesDir, setHeaders: (res, path,
|
|||
# that could be used in same-origin/XSS attacks.
|
||||
res.set("Content-Type", "text/plain")
|
||||
|
||||
|
||||
|
||||
app.get "/project/:project_id/output/*", (req, res, next) ->
|
||||
basePath = Path.resolve("#{Settings.path.compilesDir}/#{req.params.project_id}")
|
||||
path = Path.normalize("#{basePath}/#{req.params[0]}")
|
||||
if path.slice(0, basePath.length) != basePath
|
||||
logger.warn path: req.params[0], project_id: req.params.project_id, "trying to leave project directory, aborting"
|
||||
res.send(404)
|
||||
return
|
||||
fs.lstat path, (error, stats) ->
|
||||
if error?
|
||||
if error.code == "ENOENT"
|
||||
error.statusCode = 404
|
||||
return next(error)
|
||||
if stats.isSymbolicLink()
|
||||
error = new Error("file is a symlink")
|
||||
error.statusCode = 404
|
||||
return next(error)
|
||||
req.url = "/#{req.params.project_id}/#{req.params[0]}"
|
||||
staticServer(req, res, next)
|
||||
|
||||
|
|
Loading…
Reference in a new issue