Change error to 403 Forbidden when outside root

pillarjs · Jan 2, 2015 · 2e69ec0 · 2e69ec0 · jonathanong · Jan 3, 2015
1 parent e9feed0
commit 2e69ec0
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 6 deletions.
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,6 +1,7 @@
 unreleased
 ==========
 
+  * Change error to 403 Forbidden when outside root
   * Fix argument type errors to be consistent
   * Fix path traversal vulnerability
   * Use `http-errors` module directly

diff --git a/index.js b/index.js
@@ -73,7 +73,7 @@ function resolvePath(rootPath, relativePath) {
 
   // path outside root
   if ((path + sep).substr(0, root.length) !== root) {
-    throw createError(400, 'Malicious Path')
+    throw createError(403)
   }
 
   return path

diff --git a/test/resolvePath.js b/test/resolvePath.js
@@ -52,9 +52,9 @@ describe('resolvePath(relativePath)', function () {
   })
 
   describe('when relativePath resolves outside cwd', function () {
-    it('should throw Malicious Path error', function () {
+    it('should throw Forbidden error', function () {
       assert.throws(resolvePath.bind(null, '../index.js'),
-        expectError(400, 'Malicious Path'))
+        expectError(403, 'Forbidden'))
     })
   })
 })
@@ -129,14 +129,14 @@ describe('resolvePath(rootPath, relativePath)', function () {
   })
 
   describe('when relativePath resolves outside rootPath', function () {
-    it('should throw Malicious Path error', function () {
+    it('should throw Forbidden error', function () {
       assert.throws(resolvePath.bind(null, __dirname, '../index.js'),
-        expectError(400, 'Malicious Path'))
+        expectError(403, 'Forbidden'))
     })
 
     it('should not be tricked by missing separator', function () {
       assert.throws(resolvePath.bind(null, __dirname, join('..', basename(__dirname) + '2', 'index.js')),
-        expectError(400, 'Malicious Path'))
+        expectError(403, 'Forbidden'))
     })
   })
 })