fix: prevent seeing subdirectories

catalyzt-tech · Sep 11, 2024 · 703867d · 703867d
1 parent 493f895
commit 703867d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -39,4 +39,5 @@ Thumbs.db
 dist/**/*
 
 # ignore yarn.lock
-yarn.lock
+yarn.lock
+build.md
diff --git a/src/controller/get-static-data.ts b/src/controller/get-static-data.ts
@@ -3,8 +3,14 @@ import * as path from "path";
 import { FastifyReply, FastifyRequest } from "fastify";
 
 export async function GetStaticData(request: FastifyRequest<{ Params: { '*': string } }>, reply: FastifyReply) {
-    const fullPath = path.resolve(process.cwd(), 'data', request.params['*']);
 
+    // Ensure the requested path is within the base path
+    if ((request.params['*'].match(/\//g) || []).length >= 1) {
+        reply.status(403).send('Access denied: Too many subdirectories');
+        return;
+    }
+
+    const fullPath = path.resolve(process.cwd(), 'data', request.params['*']);
         try {
             const stats = await fs.promises.stat(fullPath);
             if (stats.isDirectory()) {