Fix a path traversal issue when using root

dougwilson · dougwilson · commit 9c6ca9b2c0b8 · 2014-09-04T14:27:58.000-04:00
fixes #59 fixes #60
diff --git a/History.md b/History.md
@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Fix a path traversal issue when using `root`
+
 0.8.3 / 2014-08-16
 ==================
 
diff --git a/lib/send.js b/lib/send.js
@@ -412,7 +412,7 @@ SendStream.prototype.pipe = function(res){
   if (root !== null) {
     // join / normalize from optional root dir
     path = normalize(join(root, path))
-    root = normalize(root)
+    root = normalize(root + sep)
 
     // malicious path
     if (path.substr(0, root.length) !== root) {
@@ -421,7 +421,7 @@ SendStream.prototype.pipe = function(res){
     }
 
     // explode path parts
-    parts = path.substr(root.length + 1).split(sep)
+    parts = path.substr(root.length).split(sep)
   } else {
     // ".." is malicious without "root"
     if (upPathRegexp.test(path)) {
diff --git a/test/fixtures/name.d/name.txt b/test/fixtures/name.d/name.txt
@@ -0,0 +1 @@
+loki
diff --git a/test/send.js b/test/send.js
@@ -1097,6 +1097,17 @@ describe('send(file, options)', function(){
         .expect(200, 'tobi', done)
       })
 
+      it('should with with trailing slash', function(done){
+        var app = http.createServer(function(req, res){
+          send(req, req.url, {root: __dirname + '/fixtures/'})
+          .pipe(res);
+        });
+
+        request(app)
+        .get('/name.txt')
+        .expect(200, 'tobi', done)
+      })
+
       it('should restrict paths to within root', function(done){
         var app = http.createServer(function(req, res){
           send(req, req.url, {root: __dirname + '/fixtures'})
@@ -1118,6 +1129,17 @@ describe('send(file, options)', function(){
         .get('/pets/../../send.js')
         .expect(403, done)
       })
+
+      it('should not allow root transversal', function(done){
+        var app = http.createServer(function(req, res){
+          send(req, req.url, {root: __dirname + '/fixtures/name.d'})
+          .pipe(res);
+        });
+
+        request(app)
+        .get('/../name.dir/name.txt')
+        .expect(403, done)
+      })
     })
 
     describe('when missing', function(){
