fix: hide from public directory only file whose basename start with a…

… dot (#206)
ForkbombEu · Jun 11, 2024 · e39d441 · e39d441
1 parent b453e16
commit e39d441
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 2 deletions.
diff --git a/public/.test.txt b/public/.test.txt
@@ -0,0 +1 @@
+This should not be reachable!
diff --git a/public/.test/test.txt b/public/.test/test.txt
@@ -0,0 +1 @@
+This should be reachable!
diff --git a/src/index.ts b/src/index.ts
@@ -171,7 +171,7 @@ Dir.ready(async () => {
 			res.onAborted(() => {
 				res.writeStatus('500').end('Aborted');
 			});
-			if (req.getUrl().replace(/^\/+/g, '/').startsWith('/.')) return res.writeStatus('404 Not Found').end('Not found');
+			if (req.getUrl().split('/').pop().startsWith('.')) return res.writeStatus('404 Not Found').end('Not found');
 			let file = path.join(publicDirectory, req.getUrl());
 			if (fs.existsSync(file)) {
 				let contentType = mime.getType(file) || 'application/json';

diff --git a/tests/workflow.stepci.yml b/tests/workflow.stepci.yml
@@ -421,4 +421,17 @@ tests:
               title: Benvenuto
               body: Hello World!
             headers:
-              Content-Type: text/html
+              Content-Type: text/html
+      - name: unreachable file since its basename start with a dot
+        http:
+          url: http://${{env.host}}/.test.txt
+          method: GET
+          check:
+            status: 404
+      - name: reachable file since its filepath start with a dot, but not its basename
+        http:
+          url: http://${{env.host}}/.test/test.txt
+          method: GET
+          check:
+            status: 200
+            body: This should be reachable!