mirror of
https://github.com/overleaf/overleaf.git
synced 2025-01-10 04:00:55 +00:00
Merge pull request #19293 from overleaf/jpa-issue-19290-2
[clsi] fix parsing of the requested file in symlink validation GitOrigin-RevId: 86cfe8d62bb99ed6844faee0ff4af507e571e04d
This commit is contained in:
parent
58ffefc8bb
commit
51a24601ec
2 changed files with 22 additions and 1 deletions
|
@ -25,9 +25,13 @@ module.exports = ForbidSymlinks = function (staticFn, root, options) {
|
|||
let file, projectId, result
|
||||
const path = req.url
|
||||
// check that the path is of the form /project_id_or_name/path/to/file.log
|
||||
if ((result = path.match(/^\/?([a-zA-Z0-9_-]+)\/(.*)/))) {
|
||||
if ((result = path.match(/^\/([a-zA-Z0-9_-]+)\/(.*)$/s))) {
|
||||
projectId = result[1]
|
||||
file = result[2]
|
||||
if (path !== `/${projectId}/${file}`) {
|
||||
logger.warn({ path }, 'unrecognized file request')
|
||||
return res.sendStatus(404)
|
||||
}
|
||||
} else {
|
||||
logger.warn({ path }, 'unrecognized file request')
|
||||
return res.sendStatus(404)
|
||||
|
|
|
@ -94,6 +94,23 @@ describe('StaticServerForbidSymlinks', function () {
|
|||
})
|
||||
})
|
||||
|
||||
describe('with a new line', function () {
|
||||
beforeEach(function () {
|
||||
this.req.url = '/12345/output.pdf\nother file'
|
||||
this.fs.realpath = sinon.stub().yields()
|
||||
})
|
||||
|
||||
it('should process the correct file', function (done) {
|
||||
this.res.sendStatus = () => {
|
||||
this.fs.realpath.should.have.been.calledWith(
|
||||
`${this.settings.path.compilesDir}/12345/output.pdf\nother file`
|
||||
)
|
||||
done()
|
||||
}
|
||||
this.StaticServerForbidSymlinks(this.req, this.res)
|
||||
})
|
||||
})
|
||||
|
||||
describe('with a symlink file', function () {
|
||||
beforeEach(function () {
|
||||
return (this.fs.realpath = sinon
|
||||
|
|
Loading…
Reference in a new issue