From 6fb2102099e1287136c2ba9e40795dd54579452c Mon Sep 17 00:00:00 2001
From: coderaiser <coderaiser@cloudcmd.io>
Date: Tue, 16 Apr 2024 23:04:46 +0300
Subject: [PATCH] fix: server: route: path traversal

---
 server/route.mjs | 4 ++++
 test/rest/fs.mjs | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/server/route.mjs b/server/route.mjs
index 5397c27f..d6917ec5 100644
--- a/server/route.mjs
+++ b/server/route.mjs
@@ -77,7 +77,11 @@ async function route({config, options, request, response}) {
     const rootName = name.replace(CloudFunc.FS, '') || '/';
     const fullPath = root(rootName, config('root'));
     
+    if (fullPath.indexOf(config('root')))
+        return ponse.sendError(Error(`Path '${fullPath}' beyond root '${config('root')}'`), p);
+    
     const {html, win32} = options;
+    
     const read = getReadDir(config, {
         win32,
     });
diff --git a/test/rest/fs.mjs b/test/rest/fs.mjs
index 7557ede0..07f4b7f6 100644
--- a/test/rest/fs.mjs
+++ b/test/rest/fs.mjs
@@ -18,3 +18,10 @@ test('cloudcmd: rest: fs: path', async (t) => {
     t.equal(path, '/', 'should dir path be "/"');
     t.end();
 });
+
+test('cloudcmd: path traversal beyond root', async (t) => {
+    const {body} = await request.get('/fs..%2f..%2fetc/passwd');
+    
+    t.match(body, 'beyond root', 'should return beyond root message');
+    t.end();
+});