From 0b93c0b8ce21db9bab98b1e17cd839c3b2976471 Mon Sep 17 00:00:00 2001 From: Jafar Akhondali Date: Tue, 30 Jul 2024 19:24:31 +0200 Subject: [PATCH] Block malicious looking requests to prevent path traversal attacks. --- perf/outband-setup.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/perf/outband-setup.js b/perf/outband-setup.js index a91c21c..eda2b0f 100644 --- a/perf/outband-setup.js +++ b/perf/outband-setup.js @@ -6,6 +6,11 @@ const PORT = 8080; const FILES_DIRECTORY = './resources/members'; const server = http.createServer((req, res) => { + if (path.normalize(decodeURI(req.url)) !== decodeURI(req.url)) { + res.statusCode = 403; + res.end(); + return; + } // Extract the filename from the URL const filename = req.url.slice(1); // Remove leading '/' const filePath = path.join(__dirname, FILES_DIRECTORY, filename);