From: Justin Wind Date: Fri, 22 Oct 2021 23:11:17 +0000 (-0700) Subject: serveFile now requires a directory be specified X-Git-Tag: v1.2.1^2~2 X-Git-Url: http://git.squeep.com/?p=squeep-api-dingus;a=commitdiff_plain;h=93ad1b3d6b0fbe384f8f8fcd7c09d285060fa65f serveFile now requires a directory be specified --- diff --git a/lib/dingus.js b/lib/dingus.js index 3432839..84c1d14 100644 --- a/lib/dingus.js +++ b/lib/dingus.js @@ -27,6 +27,7 @@ const defaultOptions = { strictAccept: true, selfBaseUrl: '', staticMetadata: true, + staticPath: undefined, // no reasonable default trustProxy: true, querystring, }; @@ -494,6 +495,12 @@ class Dingus { const _scope = _fileScope('serveFile'); this.logger.debug(_scope, 'called', { req: common.requestLogData(req), ctx }); + // Require a directory field. + if (!directory) { + this.logger.debug(_scope, 'rejected unset directory', { fileName }); + return this.handlerNotFound(req, res, ctx); + } + // Normalize the supplied path, as encoded path-navigation may have been (maliciously) present. fileName = path.normalize(fileName); diff --git a/test/lib/dingus.js b/test/lib/dingus.js index 7036384..519feb0 100644 --- a/test/lib/dingus.js +++ b/test/lib/dingus.js @@ -667,8 +667,8 @@ Content-Type: image/sgi size: 8, blocks: 17, atimeMs: 1613253436842.815, - mtimeMs: 1603485933192.8610, - ctimeMs: 1603485933192.8610, + mtimeMs: 1603485933192.861, + ctimeMs: 1603485933192.861, birthtimeMs: 0, atime: '2021-02-13T21:57:16.843Z', mtime: '2020-10-23T13:45:33.193Z', @@ -707,6 +707,11 @@ Content-Type: image/sgi await dingus.serveFile(req, res, ctx, directory, fileName); assert(dingus.handlerNotFound.called); }); + it('requires directory be specified', async function () { + await dingus.serveFile(req, res, ctx, '', fileName); + assert(!fs.promises.readFile.called); + assert(dingus.handlerNotFound.called); + }); it('covers fs error', async function () { const expectedException = new Error('blah'); fs.promises.stat.restore();