fix(zone.js): a path traversal attack in test (angular#32392)

`simple-server.js` is vulnerable to a trivial path traversal attack, i.e. an attacker can supply a path like `../../etc/passwd` to read arbitrary files on the server. This change fixes the issue by properly resolving the path, and then only serving files under the current directory (as intended). This is not really a security issue, given the code is not part of Angular, but rather just testing infrastructure for Angular itself, and the CI servers are not expected to contain confidential information, but still worth fixing for code hygiene. PR Close angular#32392
rmshea · Aug 30, 2019 · d498314 · d498314
1 parent 8dc3f36
commit d498314
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/packages/zone.js/simple-server.js b/packages/zone.js/simple-server.js
@@ -13,22 +13,31 @@ let server;
 
 const localFolder = __dirname;
 
+function writeNotFound(res) {
+  res.writeHead(404, {'Content-Type': 'text/html'});
+  res.end('<h1>404, Not Found!</h1>');
+}
+
 function requestHandler(req, res) {
   if (req.url === '/close') {
     res.end('server closing');
     setTimeout(() => { process.exit(0); }, 1000);
   } else {
-    const file = localFolder + req.url;
+    const file = path.resolve(localFolder, req.url);
+    if (!file.startsWith(localFolder + '/')) {
+      writeNotFound(res);
+      return;
+    }
 
     fs.readFile(file, function(err, contents) {
       if (!err) {
         res.end(contents);
       } else {
-        res.writeHead(404, {'Content-Type': 'text/html'});
-        res.end('<h1>404, Not Found!</h1>');
+        writeNotFound(res);
+        return;
       };
     });
   };
 };
 
-server = http.createServer(requestHandler).listen(8080);
+server = http.createServer(requestHandler).listen(8080);