Disallow upward tree traversal in Windows. (#254)

firebase · Feb 28, 2018 · e396ff6 · e396ff6
1 parent 6628c8b
commit e396ff6
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/lib/providers/fs.js b/lib/providers/fs.js
@@ -68,7 +68,7 @@ module.exports = function(options) {
   return function(req, pathname) {
     pathname = decodeURI(pathname);
     // jumping to parent directories is not allowed
-    if (pathname.indexOf('../') >= 0) {
+    if (pathname.indexOf('../') >= 0 || pathname.indexOf('..\\') >= 0 || pathname.toLowerCase().indexOf('..%5c') >= 0) {
       return RSVP.resolve(null);
     }
 

diff --git a/test/unit/providers/fs.spec.js b/test/unit/providers/fs.spec.js
@@ -44,6 +44,18 @@ describe('provider: fs', function() {
     });
   });
 
+  it('should return null if ../', function() {
+    return expect(fsp(opts)({}, '/../b/b.html')).to.eventually.be.null;
+  });
+
+  it('should return null if ..\\', function() {
+    return expect(fsp(opts)({}, '/..\\b\\b.html')).to.eventually.be.null;
+  });
+
+  it('should return null if ..%5c', function() {
+    return expect(fsp(opts)({}, '/..%5Cb%5cb.html')).to.eventually.be.null;
+  });
+
   it('should return null for a file that does not exist', function() {
     return expect(fsp(opts)({}, '/bogus.html')).to.eventually.be.null;
   });