Ensure that requests ending with a slash and without try looking for …

…an index.html file. And prevent malicious directory traversing
tombh · Feb 1, 2016 · 64eb267 · 64eb267
1 parent e1c03c4
commit 64eb267
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 15 deletions.
diff --git a/lib/file_handler.rb b/lib/file_handler.rb
@@ -1,16 +1,15 @@
+# Useful file methods
 class FileHandler
   def self.media_type(filename)
     extension = ::File.extname(filename)
-
     Rack::Mime.mime_type(extension)
   end
 
   def self.file_info(path)
     info = {
-      :body => ::File.read(path),
-      :time => ::File.mtime(path).httpdate
+      body: ::File.read(path),
+      time: ::File.mtime(path).httpdate
     }
-
     info
   end
 end
diff --git a/lib/server.rb b/lib/server.rb
@@ -10,18 +10,19 @@ def call(env)
   end
 
   def file_path
-    if @request.path_info.end_with?('/')
-      normalized = @request.path_info + 'index.html'
-    else
-      normalized = @request.path_info
-    end
     @root = File.join Jekbox::DROPBOX_PATH, @request.host
-    File.join @root, '_site', normalized
+    path = File.expand_path File.join @root, '_site', @request.path_info
+    with_index = File.join path, 'index.html'
+    if File.file? path
+      path
+    elsif File.file? with_index
+      with_index
+    end
   end
 
   def build_response
     @file = file_path
-    if File.exist? @file
+    if @file
       build_file_response
     else
       build_404
@@ -30,6 +31,7 @@ def build_response
   end
 
   def build_file_response
+    fail unless @file.include? @root # Prevent malicious path requests
     file_info = FileHandler.file_info @file
     body = file_info[:body]
     time = file_info[:time]

diff --git a/...fixtures/jekbox.example.com/_site/foo.css → ...s/jekbox.example.com/_site/assets/foo.css b/...fixtures/jekbox.example.com/_site/foo.css → ...s/jekbox.example.com/_site/assets/foo.css
diff --git a/spec/fixtures/jekbox.example.com/_site/deep/index.html b/spec/fixtures/jekbox.example.com/_site/deep/index.html
@@ -0,0 +1 @@
+Deep page
diff --git a/spec/server_spec.rb b/spec/server_spec.rb
@@ -11,14 +11,32 @@ def app
   end
 
   describe 'Find paths' do
-    it 'should find the index.html file when a URL without a file is requested' do
-      get 'http://jekbox.example.com'
-      expect(last_response.body).to eq "The index page\n"
+    context 'Finding the index.html file when a URL without a file is requested' do
+      it 'should use index.html when root is requested' do
+        get 'http://jekbox.example.com'
+        expect(last_response.body).to eq "The index page\n"
+      end
+
+      it 'should use index.html when a / is present' do
+        get 'http://jekbox.example.com/deep/'
+        expect(last_response.body).to eq "Deep page\n"
+      end
+
+      it 'should use index.html when a / is not present' do
+        get 'http://jekbox.example.com/deep'
+        expect(last_response.body).to eq "Deep page\n"
+      end
     end
 
     it 'should find a normal file' do
-      get 'http://jekbox.example.com/foo.css'
+      get 'http://jekbox.example.com/assets/foo.css'
       expect(last_response.body).to eq "body {}\n"
     end
+
+    it 'should find a normal file' do
+      expect do
+        get 'http://jekbox.example.com/../../../spec_helper.rb'
+      end.to raise_error RuntimeError
+    end
   end
 end