feat(serve-static): support absolute root#3420
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3420 +/- ##
=======================================
Coverage 95.77% 95.78%
=======================================
Files 155 155
Lines 9310 9325 +15
Branches 2725 2808 +83
=======================================
+ Hits 8917 8932 +15
Misses 393 393 ☔ View full report in Codecov by Sentry. |
|
Hey @usualoma ! Can you review this? |
usualoma
left a comment
There was a problem hiding this comment.
I think it's a good change!
However, although it will be a breaking change, I think that for users who are using it for the first time, they will expect that specifying it as follows will result in an absolute path, so I think it is a difficult question as to whether or not allowAbsoluteRoot is necessary.
serveStatic({ root: '/home/hono/app/static' })| // assets => /assets | ||
| path = path.replace(/^(?!\/)/, '/') | ||
| // Using URL to normalize the path. | ||
| const url = new URL(`file://${path}`) |
There was a problem hiding this comment.
What was the purpose of using URL? (Sorry, I don't understand.)
With the current code, the following results will be obtained, so I think some kind of modification is necessary.
getFilePathWithoutDefaultDocument({
filename: '/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd',
root: '/p/p2',
allowAbsoluteRoot: true,
}) // /etc/passwdThere was a problem hiding this comment.
It uses URL to normalize paths like .., but as you said, it's not good! I'll change it.
There was a problem hiding this comment.
Thank you!
If the necessary requirements are as follows,
- root :
..refers to the directory above - path:
%2e%2eshould be left as is
The following code would also achieve this, and I think it would be more performant than resolving .. for each request. Is it possible to meet the requirements in this way?
diff --git a/src/middleware/serve-static/index.ts b/src/middleware/serve-static/index.ts
index 49cbcd3c..3517a2e7 100644
--- a/src/middleware/serve-static/index.ts
+++ b/src/middleware/serve-static/index.ts
@@ -40,6 +40,8 @@ export const serveStatic = <E extends Env = Env>(
isDir?: (path: string) => boolean | undefined | Promise<boolean | undefined>
}
): MiddlewareHandler => {
+ const root = new URL(`file://${options.root}`).pathname
+
return async (c, next) => {
// Do nothing if Response is already set
if (c.finalized) {
@@ -49,7 +51,6 @@ export const serveStatic = <E extends Env = Env>(
let filename = options.path ?? decodeURI(c.req.path)
filename = options.rewriteRequestPath ? options.rewriteRequestPath(filename) : filename
- const root = options.root
const allowAbsoluteRoot = options.allowAbsoluteRoot ?? false
There was a problem hiding this comment.
I updated it. What do you think of the middleware/serve-static/index.ts?
There was a problem hiding this comment.
Well, but
new URL(`file://${options.root}`).pathname
I think the behavior will change if you specify a relative path that includes the parent directory.
serveStatic({ root: '../relative/from/parent' })
The following method may be better.
let root: string = options.root
if (root && root.startsWith('/')) {
isAbsoluteRoot = true
root = new URL(`file://${root}`).pathname
}There was a problem hiding this comment.
I've updated the code: 6365ba9
This change includes the fix for #3420 (comment) and added some tests. Could you review it?
| @@ -42,6 +44,9 @@ export const getFilePathWithoutDefaultDocument = ( | |||
| // /foo.html => foo.html | |||
| filename = filename.replace(/^\.?[\/\\]/, '') | |||
There was a problem hiding this comment.
I think it would be better to use /^\.?[\/\\]+/ because it is very dangerous if a / remains at the beginning due to the following changes.
| filename = filename.replace(/^\.?[\/\\]/, '') | |
| filename = filename.replace(/^\.?[\/\\]+/, '') |
There was a problem hiding this comment.
Is the following code one of the dangerous cases? You mean this test should pass, right?
// with the current implementation, the following will fail
expect(getFilePathWithoutDefaultDocument({ filename: '///foo.txt' })).toBe('foo.txt')There was a problem hiding this comment.
I see, I'm sorry, the code I suggested might not be good. The case I'm worried about is as follows.
import { serveStatic } from './src/adapter/bun'
import { Hono } from './src/hono'
const app = new Hono()
app.use('/static/*', serveStatic({ root: './' }))
app.use('/favicon.ico', serveStatic({ path: './favicon.ico' }))
app.get('/', (c) => c.text('You can access: /static/hello.txt'))
app.get('*', serveStatic({ root: '.' })) // fallback
// or app.get('*', serveStatic({}))
export default appI don't think this is a realistic setting, but it's not an invalid setting, and I think the relative path from the application directory will result in the expected result. With the current code in the feat/serve-static-absolute-root branch, if you access http://localhost:3000///etc/passwd, you can access any path from the absolute path using directory traversal.
There was a problem hiding this comment.
I think the following changes will also prevent directory traversal.
diff --git a/src/utils/filepath.ts b/src/utils/filepath.ts
index f3f2ea82..61471483 100644
--- a/src/utils/filepath.ts
+++ b/src/utils/filepath.ts
@@ -52,5 +52,9 @@ export const getFilePathWithoutDefaultDocument = (
let path = root ? root + '/' + filename : filename
path = path.replace(/^\.?\//, '')
+ if (root[0] !== '/' && path[0] === '/') {
+ return
+ }
+
return path
}|
The reason I prefer However, this is my current opinion. Is this too much thing? |
|
@yusukebe I can understand that “absolute path specifications are more likely to lead to dangerous situations”. However, on the other hand, I think that “if For example, if you wrote the following expecting it to be treated as an absolute path, but it ended up being treated as a relative path because you didn't specify serveStatic({ root: '/static' })I think that “unexpected results for users” are the most dangerous. serveStatic({ root: '/static' }) // throw runtime error
serveStatic({ root: '/static', allowAbsoluteRoot: true }) // served with absolute pathIf you specify it like this, instead of processing it as a relative path, how about making it an error at runtime? |
You are right. It's also dangerous. The idea you mentioned below is that throwing an error is good, but I think it's okay not to implement it. It's good to allow an absolute path that starts I'll change the code later. Thank you! |
c055a21 to
613b3c1
Compare
e33a4cb to
a4ecbeb
Compare
a4ecbeb to
6365ba9
Compare
| app.get('/static/*', serveStatic) | ||
|
|
||
| const res = await app.request('/static/html/hello.html') | ||
| expect(await res.text()).toBe('Hello in ./../home/hono/static/html/hello.html') |
There was a problem hiding this comment.
This behavior is the same as the current main one.
* feat(serve-static): support absolute root * add bun runtime test * don't use `Request` * add code for deno * remove unnecessay `console.log` * use `normalizeFilePath` instead of `URL` * use `URL` for `options.root` * don't allow directory traversal and fix the behavior when root including `../`
This PR enables the serve static middleware to support an absolute path for
root. This change affects theserveStaticfrom Bun and Deno adapter.To use an absolute path for
root, you should setallowAbsoluteRootastrue. This is because it prevents security issues. If the user does not know a root can have an absolute path, an intended string that includes an absolute path is set; it will cause unexpected behavior for them. And using an absolute path has a risk of accessing the whole of the system. So, setting the flag explicitly is a good design.We should implement the same feature for the Node.js adapter later.
Related to #3383 #3108
Closes #3107
The author should do the following, if applicable
bun run format:fix && bun run lint:fixto format the code