stjet/hedgeblog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

preview 404 page, preview security fix

Browse Source 
404 page now shows when running preview
fix path traversal attack. preview.ts not meant to be used in production (this is a static site!), but hey
This commit is contained in:
Jon Dough
2024-02-28 07:41:33 +05:30
parent edbcde7867
commit 3ee5d4a416
1 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
preview.ts
View File

@@ -11,11 +11,17 @@ createServer((req, res) => {
} else { } else {
req_path = path.join(__dirname, "build", req.url); req_path = path.join(__dirname, "build", req.url);
} }
if (!existsSync(req_path)) { let status_code = 200;
res.writeHead(404); //req.url.includes("..")
//write file if (!req_path.startsWith(path.join(__dirname, "build"))) {
res.write("404"); //nice try, bad request
res.writeHead(400);
res.write("400");
return res.end(); return res.end();
} else if (!existsSync(req_path)) {
status_code = 404;
//serve 404 page instead of non-existent page
req_path = path.join(__dirname, "build", "404.html");
} }
//set content type //set content type
let non_utf8_content_types: string[] = ["image/png", "image/gif", "image/jpeg", "video/mp4"]; let non_utf8_content_types: string[] = ["image/png", "image/gif", "image/jpeg", "video/mp4"];
@@ -49,7 +55,7 @@ createServer((req, res) => {
default: default:
content_type = "text/plain"; content_type = "text/plain";
} }
res.writeHead(200, { res.writeHead(status_code, {
"Content-Type": content_type, "Content-Type": content_type,
}); });
//write file //write file