JavaScript HttpServer updates for filePath checks

author: Jose <jose@zeroc.com> 2020-12-30 23:18:43 +0100
committer: Jose <jose@zeroc.com> 2020-12-30 23:18:43 +0100
commit: 768d3cbcb8b09a1507e4230ca152889116eb2aa2 (patch)
tree: 097fadb895a4bd41aaeae36182f34e48f14329c7 /js/bin/HttpServer.js
parent: More CodeQL workflow updates (diff)
download: ice-768d3cbcb8b09a1507e4230ca152889116eb2aa2.tar.bz2
ice-768d3cbcb8b09a1507e4230ca152889116eb2aa2.tar.xz
ice-768d3cbcb8b09a1507e4230ca152889116eb2aa2.zip
1 files changed, 8 insertions, 12 deletions
diff --git a/js/bin/HttpServer.js b/js/bin/HttpServer.js
index 53825a21aa5..f4e23156192 100644
--- a/js/bin/HttpServer.js
+++ b/js/bin/HttpServer.js
@@ -156,6 +156,14 @@ function Init()
             }
 
             var filePath = req.url.pathname;
+            if(filePath.indexOf("..") != -1 || !["/test/", "/assets/", "/lib"].some(
+                prefix => filePath.startsWith(prefix)))
+            {
+                res.writeHead(403);
+                res.end("403 Forbiden");
+                console.log("HTTP/403 (Forbiden) " + req.method + " " + req.url.pathname + " -> " + filePath);
+                return;
+            }
             var sourceMap;
             if(filePath.indexOf("es5/") !== -1 && path.extname(filePath) != ".js")
             {
@@ -196,12 +204,6 @@ function Init()
                 console.log("HTTP/302 (Found) " + req.method + " " + req.url.pathname + " -> " +
                             "/test/Ice/acm/index.html");
             }
-            else if(filePath.indexOf("..") != -1 || ["/test/", "/assets/"].some(prefix => filePath.startsWith(prefix)))
-            {
-                res.writeHead(403);
-                res.end("403 Forbiden");
-                console.log("HTTP/403 (Forbiden) " + req.method + " " + req.url.pathname + " -> " + filePath);
-            }
             else if((ext == "js" || ext == "css" || ext == "map") && req.headers["accept-encoding"].indexOf("gzip") !== -1)
             {
                 //
@@ -252,12 +254,6 @@ function Init()
                                     filePath);
                     }
                 }
-                else if(filePath.indexOf("..") != -1 || ["/test/", "/assets/"].some(prefix => filePath.startsWith(prefix)))
-                {
-                    res.writeHead(403);
-                    res.end("403 Forbiden");
-                    console.log("HTTP/403 (Forbiden) " + req.method + " " + req.url.pathname + " -> " + filePath);
-                }
                 else
                 {
                     if(!stats.isFile())
author	Jose <jose@zeroc.com>	2020-12-30 23:18:43 +0100
committer	Jose <jose@zeroc.com>	2020-12-30 23:18:43 +0100
commit	768d3cbcb8b09a1507e4230ca152889116eb2aa2 (patch)
tree	097fadb895a4bd41aaeae36182f34e48f14329c7 /js/bin/HttpServer.js
parent	More CodeQL workflow updates (diff)
download	ice-768d3cbcb8b09a1507e4230ca152889116eb2aa2.tar.bz2 ice-768d3cbcb8b09a1507e4230ca152889116eb2aa2.tar.xz ice-768d3cbcb8b09a1507e4230ca152889116eb2aa2.zip