From 93ad1b3d6b0fbe384f8f8fcd7c09d285060fa65f Mon Sep 17 00:00:00 2001 From: Justin Wind Date: Fri, 22 Oct 2021 16:11:17 -0700 Subject: [PATCH] serveFile now requires a directory be specified --- lib/dingus.js | 7 +++++++ test/lib/dingus.js | 9 +++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/lib/dingus.js b/lib/dingus.js index 3432839..84c1d14 100644 --- a/lib/dingus.js +++ b/lib/dingus.js @@ -27,6 +27,7 @@ const defaultOptions = { strictAccept: true, selfBaseUrl: '', staticMetadata: true, + staticPath: undefined, // no reasonable default trustProxy: true, querystring, }; @@ -494,6 +495,12 @@ class Dingus { const _scope = _fileScope('serveFile'); this.logger.debug(_scope, 'called', { req: common.requestLogData(req), ctx }); + // Require a directory field. + if (!directory) { + this.logger.debug(_scope, 'rejected unset directory', { fileName }); + return this.handlerNotFound(req, res, ctx); + } + // Normalize the supplied path, as encoded path-navigation may have been (maliciously) present. fileName = path.normalize(fileName); diff --git a/test/lib/dingus.js b/test/lib/dingus.js index 7036384..519feb0 100644 --- a/test/lib/dingus.js +++ b/test/lib/dingus.js @@ -667,8 +667,8 @@ Content-Type: image/sgi size: 8, blocks: 17, atimeMs: 1613253436842.815, - mtimeMs: 1603485933192.8610, - ctimeMs: 1603485933192.8610, + mtimeMs: 1603485933192.861, + ctimeMs: 1603485933192.861, birthtimeMs: 0, atime: '2021-02-13T21:57:16.843Z', mtime: '2020-10-23T13:45:33.193Z', @@ -707,6 +707,11 @@ Content-Type: image/sgi await dingus.serveFile(req, res, ctx, directory, fileName); assert(dingus.handlerNotFound.called); }); + it('requires directory be specified', async function () { + await dingus.serveFile(req, res, ctx, '', fileName); + assert(!fs.promises.readFile.called); + assert(dingus.handlerNotFound.called); + }); it('covers fs error', async function () { const expectedException = new Error('blah'); fs.promises.stat.restore(); -- 2.43.2