Properly check for absolute file paths

Johannes Zellner
Commit d755925f authored Mar 01, 2016 by Johannes Zellner
Showing with 4 additions and 1 deletions
cli/actions.js
src/files.js
--- a/cli/actions.js
+++ b/cli/actions.js
@@ -187,6 +187,7 @@ function del(filePath) {
    superagent.del(config.server() + API + relativeFilePath).query(gQuery).end(function (error, result) {
        if (error && error.status === 401) return console.log('Login failed');
        if (error && error.status === 404) return console.log('No such file or directory');
+        if (error && error.status === 403) return console.log('No such file or directory');
        if (error) return console.log('Failed', result ? result.body : error);
        console.log('Success. Removed %s files.', result.body.entries.length);

--- a/src/files.js
+++ b/src/files.js
@@ -106,7 +106,9 @@ function del(req, res, next) {
    var filePath = req.params[0];
    var absoluteFilePath = getAbsolutePath(filePath);
    if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
-    if (absoluteFilePath.slice(gBasePath.length) === '') return next(new HttpError(403, 'Forbidden'));
+    // absoltueFilePath has to have the base path prepended
+    if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(403, 'Forbidden'));
    fs.stat(absoluteFilePath, function (error, result) {
        if (error) return next(new HttpError(404, error));