init

Author: jonathanong

.gitignore

@@ -0,0 +1,59 @@
+# Compiled source #
+###################
+*.com
+*.class
+*.dll
+*.exe
+*.o
+*.so
+
+# Packages #
+############
+# it's better to unpack these files and commit the raw source
+# git has its own built in compression methods
+*.7z
+*.dmg
+*.gz
+*.iso
+*.jar
+*.rar
+*.tar
+*.zip
+
+# Logs and databases #
+######################
+*.log
+*.sql
+*.sqlite
+
+# OS generated files #
+######################
+.DS_Store*
+# Icon?
+ehthumbs.db
+Thumbs.db
+
+# Node.js #
+###########
+lib-cov
+*.seed
+*.log
+*.csv
+*.dat
+*.out
+*.pid
+*.gz
+
+pids
+logs
+results
+
+node_modules
+npm-debug.log
+
+# Components #
+##############
+
+/build
+/components
+/public

.npmignore

@@ -0,0 +1 @@
+test/

README.md

@@ -0,0 +1,49 @@
+
+# Resolve Path
+
+Resolve a path against a root path with validation against common malicious attacks.
+
+This module would protect against commons attacks like `GET /../file.js` which reaches outside the root folder.
+
+## API
+
+### absolutePath = resolve(rootPath, relativePath)
+
+```js
+var resolve = require('resolve-path')
+
+var filename = resolve(process.cwd(), '/public/favicon.ico')
+// => ~/public/favicon.ico
+```
+
+`relativePath` is generally a path given by a server. For example, in Express, it's probably `req.path.slice(1)`, removing the leading `/` to make the path relative.
+
+`rootPath` defaults to `process.cwd()`.
+
+`absolutePath` is the resolved path.
+
+This function __throws__.
+
+## License
+
+The MIT License (MIT)
+
+Copyright (c) 2014 Jonathan Ong [email protected]
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

index.js

@@ -0,0 +1,31 @@
+
+var resolve = require('path').resolve
+
+module.exports = function resolvePath(root, path) {
+  // just like path.resolve, make root optional
+  if (arguments.length === 1) {
+    path = root
+    root = process.cwd()
+  } else {
+    root = root || process.cwd()
+  }
+
+  // path should never be absolute
+  if (resolve(path) === path) error(400, 'malicious path')
+
+  // null byte(s)
+  if (~path.indexOf('\0')) error(400, 'null bytes')
+
+  path = resolve(root, path)
+
+  // out of bounds
+  if (path.indexOf(root)) error(400, 'malicious path')
+
+  return path
+}
+
+function error(status, message) {
+  var err = new Error(message)
+  err.status = status
+  throw err
+}

package.json

@@ -0,0 +1,27 @@
+{
+  "name": "resolve-path",
+  "description": "resolve a relative path from a root path with validation",
+  "version": "1.0.0",
+  "author": {
+    "name": "Jonathan Ong",
+    "email": "[email protected]",
+    "url": "http://jongleberry.com",
+    "twitter": "https://twitter.com/jongleberry"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/expressjs/resolve-path.git"
+  },
+  "bugs": {
+    "url": "https://github.com/expressjs/resolve-path/issues",
+    "email": "[email protected]"
+  },
+  "devDependencies": {
+    "should": "^3.0",
+    "mocha": "^1.13"
+  },
+  "scripts": {
+    "test": "NODE_ENV=test mocha --require should --reporter spec --bail"
+  },
+  "license": "MIT"
+}

test/resolve.js

@@ -0,0 +1,35 @@
+
+var assert = require('assert')
+var path = require('path')
+
+var resolve = require('..')
+
+describe('Resolve Path', function () {
+  it('should default to process.cwd()', function () {
+    resolve('index.js').should.equal(path.resolve('index.js'))
+  })
+
+  it('should work with a root', function () {
+    resolve(__dirname, 'resolve.js').should.equal(path.resolve(__dirname, 'resolve.js'))
+  })
+
+  describe('should throw if path', function () {
+    it('is absolute', function () {
+      assert.throws(function () {
+        resolve('/home')
+      })
+    })
+
+    it('contains a null byte', function () {
+      assert.throws(function () {
+        resolve('klajsdkfjasdf\0lkjalksjdfklasf')
+      })
+    })
+
+    it('is out of bounds', function () {
+      assert.throws(function () {
+        resolve(__dirname, '../index.js')
+      })
+    })
+  })
+})