mudhorn/n8n
1
0
Fork 0
mirror of https://github.com/n8n-io/n8n.git synced 2025-03-05 20:50:17 -08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(core): Add additional path-traversal guards on res.sendFile calls (no-changelog) (#6505)

Browse source
This commit is contained in:
कारतोफ्फेलस्क्रिप्ट™ 2023-06-21 22:20:47 +02:00 committed by GitHub
parent 772ed7ff10
commit 42a9e20e32
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
packages/cli/src/Server.ts
View file

@ -14,7 +14,7 @@ import assert from 'assert';
import { exec as callbackExec } from 'child_process'; import { exec as callbackExec } from 'child_process';
import { access as fsAccess } from 'fs/promises'; import { access as fsAccess } from 'fs/promises';
import os from 'os'; import os from 'os';
import { join as pathJoin, resolve as pathResolve } from 'path'; import { join as pathJoin, resolve as pathResolve, relative as pathRelative } from 'path';
import { createHmac } from 'crypto'; import { createHmac } from 'crypto';
import { promisify } from 'util'; import { promisify } from 'util';
import cookieParser from 'cookie-parser'; import cookieParser from 'cookie-parser';
@ -1467,6 +1467,9 @@ export class Server extends AbstractServer {
loader.directory, loader.directory,
req.originalUrl.substring(pathPrefix.length), req.originalUrl.substring(pathPrefix.length),
); );
if (pathRelative(loader.directory, filePath).includes('..')) {
return res.status(404).end();
}
try { try {
await fsAccess(filePath); await fsAccess(filePath);
return res.sendFile(filePath); return res.sendFile(filePath);