Always check path accessed by JavaScript test server

author: Jose <jose@zeroc.com> 2020-12-30 21:16:13 +0100
committer: Jose <jose@zeroc.com> 2020-12-30 21:16:13 +0100
commit: 7df6f4533dc905ada0b9a9e53ad004bd80b0cac7 (patch)
tree: fcf2aef7f08c3b94728761a8d1261d7a0f5f4328 /js/bin/HttpServer.js
parent: Use short cast to make narrow conversion in compound assignment explicit (diff)
download: ice-7df6f4533dc905ada0b9a9e53ad004bd80b0cac7.tar.bz2
ice-7df6f4533dc905ada0b9a9e53ad004bd80b0cac7.tar.xz
ice-7df6f4533dc905ada0b9a9e53ad004bd80b0cac7.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/js/bin/HttpServer.js b/js/bin/HttpServer.js
index 2e4228bcc52..53825a21aa5 100644
--- a/js/bin/HttpServer.js
+++ b/js/bin/HttpServer.js
@@ -252,6 +252,12 @@ function Init()
                                     filePath);
                     }
                 }
+                else if(filePath.indexOf("..") != -1 || ["/test/", "/assets/"].some(prefix => filePath.startsWith(prefix)))
+                {
+                    res.writeHead(403);
+                    res.end("403 Forbiden");
+                    console.log("HTTP/403 (Forbiden) " + req.method + " " + req.url.pathname + " -> " + filePath);
+                }
                 else
                 {
                     if(!stats.isFile())
author	Jose <jose@zeroc.com>	2020-12-30 21:16:13 +0100
committer	Jose <jose@zeroc.com>	2020-12-30 21:16:13 +0100
commit	7df6f4533dc905ada0b9a9e53ad004bd80b0cac7 (patch)
tree	fcf2aef7f08c3b94728761a8d1261d7a0f5f4328 /js/bin/HttpServer.js
parent	Use short cast to make narrow conversion in compound assignment explicit (diff)
download	ice-7df6f4533dc905ada0b9a9e53ad004bd80b0cac7.tar.bz2 ice-7df6f4533dc905ada0b9a9e53ad004bd80b0cac7.tar.xz ice-7df6f4533dc905ada0b9a9e53ad004bd80b0cac7.zip