fix(zone.js): a path traversal attack in test (#32392)

`simple-server.js` is vulnerable to a trivial path traversal attack, i.e. an attacker can supply a path like `../../etc/passwd` to read arbitrary files on the server. This change fixes the issue by properly resolving the path, and then only serving files under the current directory (as intended). This is not really a security issue, given the code is not part of Angular, but rather just testing infrastructure for Angular itself, and the CI servers are not expected to contain confidential information, but still worth fixing for code hygiene. PR Close #32392
2019-08-29 12:12:45 +02:00 · 2019-08-29 12:12:45 +02:00 · d498314850
parent 8dc3f3647c
commit d498314850
1 changed files with 13 additions and 4 deletions
--- a/packages/zone.js/simple-server.js
+++ b/packages/zone.js/simple-server.js
@ -13,22 +13,31 @@ let server;

 const localFolder = __dirname;

+function writeNotFound(res) {
+  res.writeHead(404, {'Content-Type': 'text/html'});
+  res.end('<h1>404, Not Found!</h1>');
+}
+
 function requestHandler(req, res) {
  if (req.url === '/close') {
    res.end('server closing');
    setTimeout(() => { process.exit(0); }, 1000);
  } else {
-    const file = localFolder + req.url;
+    const file = path.resolve(localFolder, req.url);
+    if (!file.startsWith(localFolder + '/')) {
+      writeNotFound(res);
+      return;
+    }

    fs.readFile(file, function(err, contents) {
      if (!err) {
        res.end(contents);
      } else {
-        res.writeHead(404, {'Content-Type': 'text/html'});
-        res.end('<h1>404, Not Found!</h1>');
+        writeNotFound(res);
+        return;
      };
    });
  };
 };

-server = http.createServer(requestHandler).listen(8080);
+server = http.createServer(requestHandler).listen(8080);