Skip to content

Commit

Permalink
check served paths to close #669
Browse files Browse the repository at this point in the history
  • Loading branch information
Dave Conway-Jones committed Jan 11, 2021
1 parent 6048d84 commit 5b0e45a
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
**Fixes**

- Fix slider text colour to better contrast with widget background. Issue #665
- Check served endpoint to prevent path traversal. Issue #669.

### 2.26.1: Maintenance Release

Expand Down
2 changes: 1 addition & 1 deletion dist/dashboard.appcache
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
CACHE MANIFEST
# Time: Sun Jan 03 2021 16:04:26 GMT+0000 (Greenwich Mean Time)
# Time: Mon Jan 11 2021 11:53:49 GMT+0000 (Greenwich Mean Time)

CACHE:
i18n.js
Expand Down
6 changes: 6 additions & 0 deletions nodes/ui_base.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,12 @@ module.exports = function(RED) {
res.json(set);
});

var dname = path.normalize(path.join(__dirname , '../dist/'));
var gspath = path.dirname(gsp);

RED.httpAdmin.get('/ui_base/js/*', function(req, res) {
var filename = path.join(__dirname , '../dist/js', req.params[0]);
if (filename.indexOf(dname) !== 0) { res.sendStatus(404); }
res.sendFile(filename, function (err) {
if (err) {
if (node) {
Expand All @@ -104,6 +108,7 @@ module.exports = function(RED) {

RED.httpAdmin.get('/ui_base/gs/*', function(req, res) {
var filename = path.join(path.dirname(gsp), req.params[0]);
if (filename.indexOf(gspath) !== 0) { res.sendStatus(404); }
res.sendFile(filename, function (err) {
if (err) {
if (node) {
Expand All @@ -118,6 +123,7 @@ module.exports = function(RED) {

RED.httpAdmin.get('/ui_base/css/*', function(req, res) {
var filename = path.join(__dirname , '../dist/css', req.params[0]);
if (filename.indexOf(dname) !== 0) { res.sendStatus(404); }
res.sendFile(filename, function (err) {
if (err) {
if (node) {
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "node-red-dashboard",
"version": "2.26.1",
"version": "2.26.2",
"description": "A set of dashboard nodes for Node-RED",
"keywords": [
"node-red"
Expand Down

0 comments on commit 5b0e45a

Please sign in to comment.