Protect fs.stats from bad path arguments (cloudhead#223)

brpvieira · Zarel · commit 5fb988fc7d0b · 2021-08-09T23:18:43.000-07:00
Prevents uncaught exception:
TypeError [ERR_INVALID_ARG_VALUE]: The argument 'path' must be a string or Uint8Array without null bytes.
diff --git a/lib/node-static.js b/lib/node-static.js
@@ -12,6 +12,14 @@ const fs     = require('fs')
 // Current version
 const version = [0, 7, 9];
 
+function tryStat(p, callback) {
+    try {
+        fs.stat(p, callback);
+    } catch (e) {
+        callback(e);
+    }
+}
+
 const Server = function (root, options) {
     if (root && (typeof(root) === 'object')) { options = root; root = null }
 
@@ -57,7 +65,7 @@ Server.prototype.serveDir = function (pathname, req, res, finish) {
     const htmlIndex = path.join(pathname, this.options.indexFile),
         that = this;
 
-    fs.stat(htmlIndex, function (e, stat) {
+    tryStat(htmlIndex, function (e, stat) {
         if (!e) {
             const status = 200;
             const headers = {};
@@ -90,7 +98,7 @@ Server.prototype.serveFile = function (pathname, status, headers, req, res) {
 
     pathname = this.resolve(pathname);
 
-    fs.stat(pathname, function (e, stat) {
+    tryStat(pathname, function (e, stat) {
         if (e) {
             return promise.emit('error', e);
         }
@@ -145,7 +153,7 @@ Server.prototype.servePath = function (pathname, status, headers, req, res, fini
     // Make sure we're not trying to access a
     // file outside of the root.
     if (pathname.startsWith(that.root)) {
-        fs.stat(pathname, function (e, stat) {
+        tryStat(pathname, function (e, stat) {
             if (e) {
                 finish(404, {});
             } else if (stat.isFile()) {      // Stream a single file.
@@ -216,7 +224,7 @@ Server.prototype.respondGzip = function (pathname, status, contentType, _headers
     const that = this;
     if (files.length == 1 && this.gzipOk(req, contentType)) {
         const gzFile = files[0] + ".gz";
-        fs.stat(gzFile, function (e, gzStat) {
+        tryStat(gzFile, function (e, gzStat) {
             if (!e && gzStat.isFile()) {
                 const vary = _headers['Vary'];
                 _headers['Vary'] = (vary && vary != 'Accept-Encoding' ? vary + ', ' : '') + 'Accept-Encoding';
diff --git a/test/integration/node-static-test.js b/test/integration/node-static-test.js
@@ -460,4 +460,13 @@ suite.addBatch({
                 assert.equal(body, 'hello world');
             }
         }
+    }).addBatch({
+        'handling malicious urls': {
+            topic : function(){
+                request.get(TEST_SERVER + '/%00', this.callback);
+            },
+            'should respond with 404' : function(error, response, body){
+                assert.equal(response.statusCode, 404);
+            }
+        }
     }).export(module);

Original file line number	Diff line number	Diff line change
`@@ -460,4 +460,13 @@ suite.addBatch({`
`460`	`460`	`assert.equal(body, 'hello world');`
`461`	`461`	`}`
`462`	`462`	`}`
	`463`	`+ }).addBatch({`
	`464`	`+ 'handling malicious urls': {`
	`465`	`+ topic : function(){`
	`466`	`+ request.get(TEST_SERVER + '/%00', this.callback);`
	`467`	`+ },`
	`468`	`+ 'should respond with 404' : function(error, response, body){`
	`469`	`+ assert.equal(response.statusCode, 404);`
	`470`	`+ }`
	`471`	`+ }`
`463`	`472`	`}).export(module);`