Merge pull request #19096 from Rob--W/test-server-hardening

Fix path traversal issue in createTemporaryNodeServer
mozilla · Nov 24, 2024 · 8ae5b4e · 8ae5b4e
2 parents 9017e80 + 17da8ee
commit 8ae5b4e
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/test/unit/test_utils.js b/test/unit/test_utils.js
@@ -127,9 +127,23 @@ function createTemporaryNodeServer() {
 
   const fs = process.getBuiltinModule("fs"),
     http = process.getBuiltinModule("http");
+  function isAcceptablePath(requestUrl) {
+    try {
+      // Reject unnormalized paths, to protect against path traversal attacks.
+      const url = new URL(requestUrl, "https://localhost/");
+      return url.pathname === requestUrl;
+    } catch {
+      return false;
+    }
+  }
   // Create http server to serve pdf data for tests.
   const server = http
     .createServer((request, response) => {
+      if (!isAcceptablePath(request.url)) {
+        response.writeHead(400);
+        response.end("Invalid path");
+        return;
+      }
       const filePath = process.cwd() + "/test/pdfs" + request.url;
       fs.promises.lstat(filePath).then(
         stat => {