Merge pull request #19096 from Rob--W/test-server-hardening

Fix path traversal issue in createTemporaryNodeServer
2025-04-20 15:18:08 +02:00 · 2024-11-24 15:30:22 +01:00 · 2024-11-24 15:30:22 +01:00 · 8ae5b4e442
commit 8ae5b4e442
parent 9017e80d5a 17da8ee8fa
1 changed files with 14 additions and 0 deletions
--- a/test/unit/test_utils.js
+++ b/test/unit/test_utils.js
@ -127,9 +127,23 @@ function createTemporaryNodeServer() {

  const fs = process.getBuiltinModule("fs"),
    http = process.getBuiltinModule("http");
+  function isAcceptablePath(requestUrl) {
+    try {
+      // Reject unnormalized paths, to protect against path traversal attacks.
+      const url = new URL(requestUrl, "https://localhost/");
+      return url.pathname === requestUrl;
+    } catch {
+      return false;
+    }
+  }
  // Create http server to serve pdf data for tests.
  const server = http
    .createServer((request, response) => {
+      if (!isAcceptablePath(request.url)) {
+        response.writeHead(400);
+        response.end("Invalid path");
+        return;
+      }
      const filePath = process.cwd() + "/test/pdfs" + request.url;
      fs.promises.lstat(filePath).then(
        stat => {