From 2e69ec014baa7d0d777d048584fb16658428b19d Mon Sep 17 00:00:00 2001 From: Douglas Christopher Wilson Date: Fri, 2 Jan 2015 18:16:14 -0500 Subject: [PATCH] Change error to 403 Forbidden when outside root --- HISTORY.md | 1 + index.js | 2 +- test/resolvePath.js | 10 +++++----- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index 2fc83dd..0a1c913 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,6 +1,7 @@ unreleased ========== + * Change error to 403 Forbidden when outside root * Fix argument type errors to be consistent * Fix path traversal vulnerability * Use `http-errors` module directly diff --git a/index.js b/index.js index 2c5800b..270d083 100644 --- a/index.js +++ b/index.js @@ -73,7 +73,7 @@ function resolvePath(rootPath, relativePath) { // path outside root if ((path + sep).substr(0, root.length) !== root) { - throw createError(400, 'Malicious Path') + throw createError(403) } return path diff --git a/test/resolvePath.js b/test/resolvePath.js index 641d484..ddc45aa 100644 --- a/test/resolvePath.js +++ b/test/resolvePath.js @@ -52,9 +52,9 @@ describe('resolvePath(relativePath)', function () { }) describe('when relativePath resolves outside cwd', function () { - it('should throw Malicious Path error', function () { + it('should throw Forbidden error', function () { assert.throws(resolvePath.bind(null, '../index.js'), - expectError(400, 'Malicious Path')) + expectError(403, 'Forbidden')) }) }) }) @@ -129,14 +129,14 @@ describe('resolvePath(rootPath, relativePath)', function () { }) describe('when relativePath resolves outside rootPath', function () { - it('should throw Malicious Path error', function () { + it('should throw Forbidden error', function () { assert.throws(resolvePath.bind(null, __dirname, '../index.js'), - expectError(400, 'Malicious Path')) + expectError(403, 'Forbidden')) }) it('should not be tricked by missing separator', function () { assert.throws(resolvePath.bind(null, __dirname, join('..', basename(__dirname) + '2', 'index.js')), - expectError(400, 'Malicious Path')) + expectError(403, 'Forbidden')) }) }) })