mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-21 20:47:08 -05:00
e024fec82d
prevents mismatch between rootdir of server and rootdir of symlink checking middleware
24 lines
1 KiB
CoffeeScript
24 lines
1 KiB
CoffeeScript
Path = require("path")
|
|
fs = require("fs")
|
|
Settings = require("settings-sharelatex")
|
|
logger = require("logger-sharelatex")
|
|
url = require "url"
|
|
|
|
module.exports = ForbidSymlinks = (staticFn, root, options) ->
|
|
expressStatic = staticFn root, options
|
|
basePath = Path.resolve(root)
|
|
return (req, res, next) ->
|
|
path = url.parse(req.url)?.pathname
|
|
requestedFsPath = Path.normalize("#{basePath}/#{path}")
|
|
fs.realpath requestedFsPath, (err, realFsPath)->
|
|
if err?
|
|
logger.warn err:err, requestedFsPath:requestedFsPath, realFsPath:realFsPath, path: req.params[0], project_id: req.params.project_id, "error checking file access"
|
|
if err.code == 'ENOENT'
|
|
return res.sendStatus(404)
|
|
else
|
|
return res.sendStatus(500)
|
|
else if requestedFsPath != realFsPath
|
|
logger.warn requestedFsPath:requestedFsPath, realFsPath:realFsPath, path: req.params[0], project_id: req.params.project_id, "trying to access a different file (symlink), aborting"
|
|
return res.sendStatus(404)
|
|
else
|
|
expressStatic(req, res, next)
|