lone-cloud/gerbil
0
0
Fork 0
mirror of https://github.com/lone-cloud/gerbil synced 2026-06-03 19:54:44 -07:00
Code Issues Projects Releases Packages Wiki Activity

revert fake path sanitation "fixes" for CodeQL as it's a waste of time and gerbil is for offline desktop use not web/online

Browse source
This commit is contained in:
Egor 2025-11-24 14:06:47 -08:00
parent bb4cc9a8bf
commit b5573c32f5
2 changed files with 6 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/main/modules/static-server.ts
View file

@ -2,7 +2,7 @@ import { createServer, Server } from 'http';
import { readFile } from 'fs/promises'; import { readFile } from 'fs/promises';
import { join } from 'path'; import { join } from 'path';
import { lookup } from 'mime-types'; import { lookup } from 'mime-types';
import { pathExists, sanitizePath } from '@/utils/node/fs'; import { pathExists } from '@/utils/node/fs';
let server: Server | null = null; let server: Server | null = null;
let serverPort = 0; let serverPort = 0;
@ -10,16 +10,15 @@ let serverPort = 0;
export const startStaticServer = (distPath: string) => export const startStaticServer = (distPath: string) =>
new Promise<string>((resolve, reject) => { new Promise<string>((resolve, reject) => {
server = createServer(async (req, res) => { server = createServer(async (req, res) => {
let filePath = join(distPath, req.url === '/' ? 'index.html' : req.url!); const requestPath = req.url === '/' ? 'index.html' : req.url!;
let filePath = join(distPath, requestPath);
if (!(await pathExists(filePath))) { if (!(await pathExists(filePath))) {
filePath = join(distPath, 'index.html'); filePath = join(distPath, 'index.html');
} }
const sanitizedFilePath = sanitizePath(filePath);
try { try {
const content = await readFile(sanitizedFilePath); const content = await readFile(filePath);
const contentType = lookup(filePath) || 'application/octet-stream'; const contentType = lookup(filePath) || 'application/octet-stream';
res.writeHead(200, { 'Content-Type': contentType }); res.writeHead(200, { 'Content-Type': contentType });

20
src/utils/node/fs.ts
View file

@ -1,26 +1,10 @@
import { readFile, writeFile, access, mkdir } from 'fs/promises'; import { readFile, writeFile, access, mkdir } from 'fs/promises';
import { constants } from 'fs'; import { constants } from 'fs';
import { dirname, normalize } from 'path'; import { dirname } from 'path';
// eslint-disable-next-line no-comments/disallowComments
/**
* This function normalizes a file path and checks for null
* bytes to prevent security issues.
* This is probably not relevant for our local desktop app,
* but github does warn about it via "js/path-injection".
*/
export const sanitizePath = (path: string) => {
const normalized = normalize(path);
if (normalized.includes('\0')) {
throw new Error('Invalid path: null byte detected');
}
return normalized;
};
export const pathExists = async (path: string) => { export const pathExists = async (path: string) => {
const sanitized = sanitizePath(path);
try { try {
await access(sanitized, constants.F_OK); await access(path, constants.F_OK);
return true; return true;
} catch { } catch {
return false; return false;