forked from juice-shop/juice-shop
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfileServer.js
45 lines (39 loc) · 1.7 KB
/
fileServer.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
/*
* Copyright (c) 2014-2020 Bjoern Kimminich.
* SPDX-License-Identifier: MIT
*/
const path = require('path')
const utils = require('../lib/utils')
const insecurity = require('../lib/insecurity')
const challenges = require('../data/datacache').challenges
module.exports = function servePublicFiles () {
return ({ params, query }, res, next) => {
const file = params.file
if (!file.includes('/')) {
verify(file, res, next)
} else {
res.status(403)
next(new Error('File names cannot contain forward slashes!'))
}
}
function verify (file, res, next) {
if (file && (endsWithWhitelistedFileType(file) || (file === 'incident-support.kdbx'))) {
file = insecurity.cutOffPoisonNullByte(file)
verifySuccessfulPoisonNullByteExploit(file)
res.sendFile(path.resolve(__dirname, '../ftp/', file))
} else {
res.status(403)
next(new Error('Only .md and .pdf files are allowed!'))
}
}
function verifySuccessfulPoisonNullByteExploit (file) {
utils.solveIf(challenges.easterEggLevelOneChallenge, () => { return file.toLowerCase() === 'eastere.gg' })
utils.solveIf(challenges.directoryListingChallenge, () => { return file.toLowerCase() === 'acquisitions.md' })
utils.solveIf(challenges.forgottenDevBackupChallenge, () => { return file.toLowerCase() === 'package.json.bak' })
utils.solveIf(challenges.forgottenBackupChallenge, () => { return file.toLowerCase() === 'coupons_2013.md.bak' })
utils.solveIf(challenges.misplacedSignatureFileChallenge, () => { return file.toLowerCase() === 'suspicious_errors.yml' })
}
function endsWithWhitelistedFileType (param) {
return utils.endsWith(param, '.md') || utils.endsWith(param, '.pdf')
}
}