crood/middleware.js at master · asyncanup/crood · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
var path = require("path"),
    bodyParser = require('body-parser'),
    webTerminal = require('web-terminal'),
    debug = require("./logger");

module.exports = function (app) {
	app.use(bodyParser.urlencoded({ extended: true }));

	app.use(function (req, res, next) {
	    var root = app.get("root");

        var err;
        ["filePath", "folderPath"].forEach(function (resourcePath) {
            resourcePath = req.query[resourcePath];

            var relative = resourcePath && path.relative(root, resourcePath);
            if (relative && relative.indexOf("..") === 0) {
                err = "Can't access resource (outside exposed scope): " + resourcePath;
            }
        });

        if (err) {
            debug(err);
            res.send(403, err);
        } else {
            next();
        }
	});
};