mirror of
https://github.com/lone-cloud/gerbil
synced 2026-06-03 09:33:10 -07:00
revert fake path sanitation "fixes" for CodeQL as it's a waste of time and gerbil is for offline desktop use not web/online
This commit is contained in:
Egor
parent
bb4cc9a8bf
commit
b5573c32f5
2 changed files with 6 additions and 23 deletions
|
|
@ -2,7 +2,7 @@ import { createServer, Server } from 'http';
|
|||
import { readFile } from 'fs/promises';
|
||||
import { join } from 'path';
|
||||
import { lookup } from 'mime-types';
|
||||
import { pathExists, sanitizePath } from '@/utils/node/fs';
|
||||
import { pathExists } from '@/utils/node/fs';
|
||||
|
||||
let server: Server | null = null;
|
||||
let serverPort = 0;
|
||||
|
|
@ -10,16 +10,15 @@ let serverPort = 0;
|
|||
export const startStaticServer = (distPath: string) =>
|
||||
new Promise<string>((resolve, reject) => {
|
||||
server = createServer(async (req, res) => {
|
||||
let filePath = join(distPath, req.url === '/' ? 'index.html' : req.url!);
|
||||
const requestPath = req.url === '/' ? 'index.html' : req.url!;
|
||||
let filePath = join(distPath, requestPath);
|
||||
|
||||
if (!(await pathExists(filePath))) {
|
||||
filePath = join(distPath, 'index.html');
|
||||
}
|
||||
|
||||
const sanitizedFilePath = sanitizePath(filePath);
|
||||
|
||||
try {
|
||||
const content = await readFile(sanitizedFilePath);
|
||||
const content = await readFile(filePath);
|
||||
const contentType = lookup(filePath) || 'application/octet-stream';
|
||||
|
||||
res.writeHead(200, { 'Content-Type': contentType });
|
||||
|
|
|
|||
|
|
@ -1,26 +1,10 @@
|
|||
import { readFile, writeFile, access, mkdir } from 'fs/promises';
|
||||
import { constants } from 'fs';
|
||||
import { dirname, normalize } from 'path';
|
||||
|
||||
// eslint-disable-next-line no-comments/disallowComments
|
||||
/**
|
||||
* This function normalizes a file path and checks for null
|
||||
* bytes to prevent security issues.
|
||||
* This is probably not relevant for our local desktop app,
|
||||
* but github does warn about it via "js/path-injection".
|
||||
*/
|
||||
export const sanitizePath = (path: string) => {
|
||||
const normalized = normalize(path);
|
||||
if (normalized.includes('\0')) {
|
||||
throw new Error('Invalid path: null byte detected');
|
||||
}
|
||||
return normalized;
|
||||
};
|
||||
import { dirname } from 'path';
|
||||
|
||||
export const pathExists = async (path: string) => {
|
||||
const sanitized = sanitizePath(path);
|
||||
try {
|
||||
await access(sanitized, constants.F_OK);
|
||||
await access(path, constants.F_OK);
|
||||
return true;
|
||||
} catch {
|
||||
return false;
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue