Skip to content

Commit bfd5e6a

Browse files
Merge pull request #5 from Pro-Fa/alert-autofix-3
Potential fix for code scanning alert no. 3: Uncontrolled data used in path expression
2 parents 39581cc + d3d163f commit bfd5e6a

1 file changed

Lines changed: 4 additions & 4 deletions

File tree

samples/language-service-sample/serve-sample.cjs

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -40,10 +40,10 @@ const server = http.createServer((req, res) => {
4040
urlPath = 'samples/language-service-sample' + urlPath;
4141
}
4242

43-
const relativePath = urlPath.replace(/^\/+/, '');
44-
const filePath = path.resolve(root, relativePath);
45-
const relativeToRoot = path.relative(root, filePath);
46-
if (relativeToRoot.startsWith('..') || path.isAbsolute(relativeToRoot)) {
43+
const safeRelativePath = urlPath.replace(/^([/\\])+/, '');
44+
const filePath = path.resolve(root, safeRelativePath);
45+
const rootWithSep = root.endsWith(path.sep) ? root : root + path.sep;
46+
if (!(filePath === root || filePath.startsWith(rootWithSep))) {
4747
return send(res, 403, 'Forbidden');
4848
}
4949

0 commit comments

Comments
 (0)