examples: fix path traversal in downloads example

closes #4120
expressjs · Feb 8, 2022 · 82de4de · 82de4de
1 parent 12310c5
commit 82de4de
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/examples/downloads/index.js b/examples/downloads/index.js
@@ -6,8 +6,13 @@
 
 var express = require('../../');
 var path = require('path');
+var resolvePath = require('resolve-path')
+
 var app = module.exports = express();
 
+// path to where the files are stored on disk
+var FILES_DIR = path.join(__dirname, 'files')
+
 app.get('/', function(req, res){
   res.send('<ul>' +
     '<li>Download <a href="/files/notes/groceries.txt">notes/groceries.txt</a>.</li>' +
@@ -20,7 +25,7 @@ app.get('/', function(req, res){
 // /files/* is accessed via req.params[0]
 // but here we name it :file
 app.get('/files/:file(*)', function(req, res, next){
-  var filePath = path.join(__dirname, 'files', req.params.file);
+  var filePath = resolvePath(FILES_DIR, req.params.file)
 
   res.download(filePath, function (err) {
     if (!err) return; // file sent

diff --git a/package.json b/package.json
@@ -75,6 +75,7 @@
     "multiparty": "4.2.2",
     "nyc": "15.1.0",
     "pbkdf2-password": "1.2.1",
+    "resolve-path": "1.4.0",
     "should": "13.2.3",
     "supertest": "6.2.2",
     "vhost": "~3.0.2"

diff --git a/test/acceptance/downloads.js b/test/acceptance/downloads.js
@@ -36,4 +36,12 @@ describe('downloads', function(){
       .expect(404, done)
     })
   })
+
+  describe('GET /files/../index.js', function () {
+    it('should respond with 403', function (done) {
+      request(app)
+        .get('/files/../index.js')
+        .expect(403, done)
+    })
+  })
 })