[PATCH] Thrift-4647: Node.js Filesever webroot fixed path

Updates the node.js fileserver to have a fixed based webroot which can
not be escaped by end users.

Gbp-Pq: Name CVE-2018-11798_Node.js_Filesever_webroot_fixed_path.patch

diff --git a/lib/js/test/server_http.js b/lib/js/test/server_http.js
index 1115474b01fdf7f9f1f9a13cb5cf3e3f6f5c7c0e..02fa54ae7876428a0e5631d77c17b1e310450ab9 100644 (file)
--- a/lib/js/test/server_http.js
+++ b/lib/js/test/server_http.js
@@ -36,7 +36,7 @@ var ThriftTestSvcOpt = {
 };
 
 var ThriftWebServerOptions = {
-       files: '.',
+       files: __dirname,
        services: {
                '/service': ThriftTestSvcOpt
        }

diff --git a/lib/js/test/server_https.js b/lib/js/test/server_https.js
index 7e78d9edaf9504281df8bfbb3d4b3c78d414bc02..abd25c1a6f4ba94e66d46ba462ffe113d4bfd456 100644 (file)
--- a/lib/js/test/server_https.js
+++ b/lib/js/test/server_https.js
@@ -40,7 +40,7 @@ var ThriftTestSvcOpt = {
 };
 
 var ThriftWebServerOptions = {
-  files: '.',
+  files: __dirname,
   tls: {
      key: fs.readFileSync('../../../test/keys/server.key'),
      cert: fs.readFileSync('../../../test/keys/server.crt')

diff --git a/lib/nodejs/lib/thrift/web_server.js b/lib/nodejs/lib/thrift/web_server.js
index 0093c8a0828abc4dd438be3470b1c0724e6d026b..a33f47aedb7da803486607a01d391f0060e5318b 100644 (file)
--- a/lib/nodejs/lib/thrift/web_server.js
+++ b/lib/nodejs/lib/thrift/web_server.js
@@ -415,7 +415,15 @@ exports.createWebServer = function(options) {
 
     //Locate the file requested and send it
     var uri = url.parse(request.url).pathname;
-    var filename = path.join(baseDir, uri);
+    var filename = path.resolve(path.join(baseDir, uri));
+
+    //Ensure the basedir path is not able to be escaped
+    if (filename.indexOf(baseDir) != 0) {
+      response.writeHead(400, "Invalid request path", {});
+      response.end();
+      return;
+    }
+
     fs.exists(filename, function(exists) {
       if(!exists) {
         response.writeHead(404);