change regex checking file request ensure other files can not be accessed

2025-04-05 01:36:57 +00:00 · 2015-05-12 15:17:18 +01:00 · 2015-05-12 15:17:18 +01:00 · 7dfdad02f5
commit 7dfdad02f5
parent 604c31ae84
2 changed files with 13 additions and 2 deletions
--- a/services/clsi/app/coffee/StaticServerForbidSymlinks.coffee
+++ b/services/clsi/app/coffee/StaticServerForbidSymlinks.coffee
@ -9,8 +9,8 @@ module.exports = ForbidSymlinks = (staticFn, root, options) ->
 	basePath = Path.resolve(root)
 	return (req, res, next) ->
 		path = url.parse(req.url)?.pathname
-		# check that the path is of the form /project_id/path/to/file
-		if result = path.match(/^\/?(\w+)\/(.*)/)
+		# check that the path is of the form /project_id_or_name/path/to/file.log
+		if result = path.match(/^\/?([a-zA-Z0-9_-]+)\/(.*)/)
 			project_id = result[1]
 			file = result[2]
 		else
--- a/services/clsi/test/unit/coffee/StaticServerForbidSymlinksTests.coffee
+++ b/services/clsi/test/unit/coffee/StaticServerForbidSymlinksTests.coffee
@ -134,6 +134,17 @@ describe "StaticServerForbidSymlinks", ->
 				done()
 			@StaticServerForbidSymlinks @req, @res

+	describe "with a github style path", ->
+		beforeEach ->
+			@req.url = "/henryoswald-latex_example/output/output.log"
+			@fs.realpath = sinon.stub().callsArgWith(1, null, "#{@settings.path.compilesDir}/henryoswald-latex_example/output/output.log")
+
+		it "should call next", (done)->
+			@res.sendStatus = (resCode)->
+				resCode.should.equal 200
+				done()
+			@StaticServerForbidSymlinks @req, @res, done
+
 	describe "with an error from fs.realpath", ->

 		beforeEach ->