Skip to content

Commit

Permalink
fix Uncontrolled data used in path expression
Browse files Browse the repository at this point in the history
  • Loading branch information
@TarradeMarc
TarradeMarc committed Mar 22, 2024
1 parent abaf6af commit 618c0fd
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion configmanager/server.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,11 @@ app.get('/:namespace/:application', (req, res) => {
res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
res.setHeader("Content-Security-Policy", "script-src 'self'");
const { namespace, application } = req.params;
const filePath = fs.realpathSync(path.normalize(`${__dirname}/data/cad-${namespace}-${application}.json`).replace(/^(\.\.(\/|\\|$))+/, ''));
const filePath = path.normalize(`${__dirname}/data/cad-${namespace}-${application}.json`).replace(/^(\.\.(\/|\\|$))+/, '');
const defaultFilePath = `/data/cad-default.json`;
if(!filePath.startsWith(__dirname)){
return res.end()
}

// Check if the file exists
fs.access(filePath, fs.constants.F_OK, (err) => {
Expand Down

0 comments on commit 618c0fd

Please sign in to comment.