From 5b0e45a5646a011251691d063f1c01b6dd3a8079 Mon Sep 17 00:00:00 2001
From: Dave Conway-Jones <conway@uk.ibm.com>
Date: Mon, 11 Jan 2021 12:00:26 +0000
Subject: [PATCH] check served paths to close #669

---
 CHANGELOG.md            | 1 +
 dist/dashboard.appcache | 2 +-
 nodes/ui_base.js        | 6 ++++++
 package.json            | 2 +-
 4 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 68471696..4488eacb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 **Fixes**
 
  - Fix slider text colour to better contrast with widget background. Issue #665
+ - Check served endpoint to prevent path traversal. Issue #669.
 
 ### 2.26.1: Maintenance Release
 
diff --git a/dist/dashboard.appcache b/dist/dashboard.appcache
index d554dd6f..02d46a62 100644
--- a/dist/dashboard.appcache
+++ b/dist/dashboard.appcache
@@ -1,5 +1,5 @@
 CACHE MANIFEST
-# Time: Sun Jan 03 2021 16:04:26 GMT+0000 (Greenwich Mean Time)
+# Time: Mon Jan 11 2021 11:53:49 GMT+0000 (Greenwich Mean Time)
 
 CACHE:
 i18n.js
diff --git a/nodes/ui_base.js b/nodes/ui_base.js
index 62d589ae..b2be6f2c 100644
--- a/nodes/ui_base.js
+++ b/nodes/ui_base.js
@@ -88,8 +88,12 @@ module.exports = function(RED) {
         res.json(set);
     });
 
+    var dname = path.normalize(path.join(__dirname , '../dist/'));
+    var gspath = path.dirname(gsp);
+
     RED.httpAdmin.get('/ui_base/js/*', function(req, res) {
         var filename = path.join(__dirname , '../dist/js', req.params[0]);
+        if (filename.indexOf(dname) !== 0) { res.sendStatus(404); }
         res.sendFile(filename, function (err) {
             if (err) {
                 if (node) {
@@ -104,6 +108,7 @@ module.exports = function(RED) {
 
     RED.httpAdmin.get('/ui_base/gs/*', function(req, res) {
         var filename = path.join(path.dirname(gsp), req.params[0]);
+        if (filename.indexOf(gspath) !== 0) { res.sendStatus(404); }
         res.sendFile(filename, function (err) {
             if (err) {
                 if (node) {
@@ -118,6 +123,7 @@ module.exports = function(RED) {
 
     RED.httpAdmin.get('/ui_base/css/*', function(req, res) {
         var filename = path.join(__dirname , '../dist/css', req.params[0]);
+        if (filename.indexOf(dname) !== 0) { res.sendStatus(404); }
         res.sendFile(filename, function (err) {
             if (err) {
                 if (node) {
diff --git a/package.json b/package.json
index 62cf33e0..da5274d0 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "node-red-dashboard",
-    "version": "2.26.1",
+    "version": "2.26.2",
     "description": "A set of dashboard nodes for Node-RED",
     "keywords": [
         "node-red"