Fix root path disclosure

dougwilson · dougwilson · commit a59b0183ee61 · 2015-01-19T23:55:52.000-05:00
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Fix root path disclosure
+
 1.2.0 / 2015-01-05
 ==================
 
diff --git a/README.md b/README.md
@@ -42,6 +42,7 @@ malicious:
   - The relative path is an absolute path
   - The relative path contains a NULL byte
   - The relative path resolves to a path outside of the root path
+  - The relative path traverses above the root and back down
 
 ## Example
 
diff --git a/index.js b/index.js
@@ -21,6 +21,13 @@ var sep = require('path').sep
 
 module.exports = resolvePath
 
+/**
+ * Module variables.
+ * @private
+ */
+
+var upPathRegexp = /(?:^|[\\\/])\.\.(?:[\\\/]|$)/
+
 /**
  * Resolve relative path against a root path
  *
@@ -65,16 +72,16 @@ function resolvePath(rootPath, relativePath) {
     throw createError(400, 'Malicious Path')
   }
 
+  // path outside root
+  if (upPathRegexp.test(normalize('.' + sep + path))) {
+    throw createError(403)
+  }
+
   // resolve & normalize the root path
   root = normalize(resolve(root) + sep)
 
   // resolve the path
   path = resolve(root, path)
 
-  // path outside root
-  if ((path + sep).substr(0, root.length) !== root) {
-    throw createError(403)
-  }
-
   return path
 }
diff --git a/test/resolvePath.js b/test/resolvePath.js
@@ -57,6 +57,13 @@ describe('resolvePath(relativePath)', function () {
         expectError(403, 'Forbidden'))
     })
   })
+
+  describe('when relativePath discloses cwd', function () {
+    it('should throw Forbidden error', function () {
+      assert.throws(resolvePath.bind(null, join('test', '..', '..', basename(process.cwd()), 'index.js')),
+        expectError(403, 'Forbidden'))
+    })
+  })
 })
 
 describe('resolvePath(rootPath, relativePath)', function () {
@@ -139,6 +146,13 @@ describe('resolvePath(rootPath, relativePath)', function () {
         expectError(403, 'Forbidden'))
     })
   })
+
+  describe('when relativePath discloses rootPath', function () {
+    it('should throw Forbidden error', function () {
+      assert.throws(resolvePath.bind(null, __dirname, join('test', '..', '..', basename(__dirname), 'index.js')),
+        expectError(403, 'Forbidden'))
+    })
+  })
 })
 
 function expectError(status, message) {
