forked from mirrors/Scribe.js
Security fix -
Restrict access to files on webserver by monitoring the request path content before allowing it to be accessed.
This commit is contained in:
samcrowther
parent
eb70a19a0c
commit
2b441cdb9f
1 changed files with 44 additions and 0 deletions
|
|
@ -133,6 +133,50 @@
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
* This function scans through any webPanel request.
|
||||||
|
* if the request contains the 'path' query parameter then it will pass it
|
||||||
|
* through a check that ensures the following:
|
||||||
|
- it contains logs
|
||||||
|
- it contains 20xx
|
||||||
|
- it is accessing a .json file
|
||||||
|
* if it passess the checks it sends the request to the next webPanel function
|
||||||
|
* otherwise it returns a json error message
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
*/
|
||||||
|
|
||||||
|
webPanel.use(function(req, res, next){
|
||||||
|
|
||||||
|
var path = req.query.path
|
||||||
|
|
||||||
|
if(path!=null){
|
||||||
|
|
||||||
|
if(path.indexOf("logs")!=-1 && path.indexOf("20")!=-1 && path.indexOf(".json")!=-1) {
|
||||||
|
|
||||||
|
next();
|
||||||
|
|
||||||
|
} else {
|
||||||
|
|
||||||
|
var response = {};
|
||||||
|
response.error = true;
|
||||||
|
res.json(response);
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
} else {
|
||||||
|
|
||||||
|
next();
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
});
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* /api
|
* /api
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue