-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature: disable root path check when serve is false #467
feature: disable root path check when serve is false #467
Conversation
7efb216
to
8c39dca
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think simply disable the check is the solution.
- It may fails to serve file because there is no
root
provided. You can see theroot
path is passing everywhere inside the codebase. You must provide test to ensure it will works. - It can leads to security issue because it means by default the serving of files can be escaped to everywhere. You should at least default the
root
to CWD and update the read me.
My remark from three days ago was still not addressed.
|
Note that please do not open another PR for updates or address comment. You should push commit to your branch to address the comments. |
@climba03003 Can you review this PR? |
@@ -408,7 +413,7 @@ function normalizeRoot (root) { | |||
return root | |||
} | |||
|
|||
function checkRootPathForErrors (fastify, rootPath) { | |||
function checkRootPathForErrors (fastify, rootPath, skipExistenceCheck) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am think is it necessary to skip the check of root
path?
You should never use a invalid root path, defaulting to cwd
is a trade-off for security reason.
All of your served file should be contained within to the root
and prevent path escape.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@climba03003 Thank you for your feedback on the security implications. Before implementing changes, I would like to confirm the approach that we remove the skipExistenceCheck
parameter from the checkPath
and checkRootPathForErrors
functions since we need perform full validation of the path.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can skip for cwd, but you must provide a valid root.
No matter other setting.
@nimesh0505 @simoneb ping |
Unfortunately we cannot progress on this PR, so I'm closing it. |
Summary
This MR addresses the issue #460 where the
checkRootPathForErrors
function still requires a valid path to root even whenserve: false
is set.Changes
checkRootPathForErrors
whenserve: false
.serve: false
.Tests
test/static.js
to verify thatcheckRootPathForErrors
is not called whenserve: false
.Checklist
npm run test
andnpm run benchmark
and the Code of conduct