From be79e0f76301d9abc87d4c5e1364d1dce9114c64 Mon Sep 17 00:00:00 2001 From: Eugen Istoc Date: Wed, 10 Jan 2024 12:24:46 -0500 Subject: [PATCH] Add path resolution for static files --- packages/h3/src/H3Adapter.ts | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/packages/h3/src/H3Adapter.ts b/packages/h3/src/H3Adapter.ts index 03ec914a..8239a9b8 100644 --- a/packages/h3/src/H3Adapter.ts +++ b/packages/h3/src/H3Adapter.ts @@ -7,6 +7,7 @@ import { UIConfig, } from '@bull-board/api/dist/typings/app'; import { readFileSync, statSync } from 'fs'; +import { resolve, normalize } from 'node:path'; import { createRouter, eventHandler, @@ -93,10 +94,23 @@ export class H3Adapter implements IServerAdapter { const getStaticPath = (relativePath: string) => { if (!this.statics) return ''; - return `${this.statics.path}${relativePath.replace( - `${this.basePath}${this.statics.route}`, - '' - )}`; + const relativeRoot = `${this.basePath}${this.statics.route}/`; + + // Ensure that the path is relative to the statics route + if (!relativePath.startsWith(relativeRoot)) return ''; + + // Normalize the path + const normalizedPath = normalize(relativePath); + + const staticRelativePath = normalizedPath.replace(relativeRoot, ''); + + // Resolve the absolute path + const absolutePath = resolve(this.statics.path, staticRelativePath); + + // Check if the absolute path is still within the statics directory + if (!absolutePath.startsWith(resolve(this.statics.path))) return ''; + + return absolutePath; }; const { method, route, handler } = this.entryRoute; @@ -123,7 +137,6 @@ export class H3Adapter implements IServerAdapter { eventHandler(async (event) => { return await serveStatic(event, { fallthrough: false, - indexNames: undefined, getContents: (id) => readFileSync(getStaticPath(id)), getMeta: (id) => { try {