Skip to content

Commit

Permalink
fix: decode path to avoid bypassing security checks
Browse files Browse the repository at this point in the history
  • Loading branch information
kitsonk committed Nov 1, 2024
1 parent 3896fe5 commit 4b2f27e
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 3 deletions.
20 changes: 19 additions & 1 deletion send.test.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
// Copyright 2018-2024 the oak authors. All rights reserved. MIT license.

import { assertEquals, assertStrictEquals } from "./deps_test.ts";
import {
assertEquals,
assertRejects,
assertStrictEquals,
} from "./deps_test.ts";
import {
createMockApp,
createMockContext,
Expand All @@ -13,6 +17,7 @@ import { assert, errors, eTag } from "./deps.ts";
import type { RouteParams } from "./router.ts";
import { send } from "./send.ts";
import { isNode } from "./utils/type_guards.ts";
import { httpErrors } from "./mod.ts";

function setup<
// deno-lint-ignore no-explicit-any
Expand Down Expand Up @@ -482,3 +487,16 @@ Deno.test({
context.response.destroy();
},
});

Deno.test({
name: "send - security - decoding paths to subvert checks",
async fn() {
const { context } = setup("/poc%2f../.test.json");
await assertRejects(async () => {
await send(context, context.request.url.pathname, {
root: "./fixtures",
hidden: false,
});
}, httpErrors.NotFound);
},
});
4 changes: 2 additions & 2 deletions send.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ import {
} from "./deps.ts";
import type { Response } from "./response.ts";
import { isNode } from "./utils/type_guards.ts";
import { decodeComponent } from "./utils/decode_component.ts";
import { decode } from "./utils/decode.ts";
import { resolvePath } from "./utils/resolve_path.ts";

if (isNode()) {
Expand Down Expand Up @@ -179,7 +179,7 @@ export async function send(
root,
} = options;
const trailingSlash = path[path.length - 1] === "/";
path = decodeComponent(path.substring(parse(path).root.length));
path = decode(path.substring(parse(path).root.length));
if (index && trailingSlash) {
path += index;
}
Expand Down

0 comments on commit 4b2f27e

Please sign in to comment.