GoogleAIBuilder/WebFTP
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

..

Browse Source
This commit is contained in:
backuppc
2026-01-21 11:57:22 +09:00
parent 2ce9bffb1d
commit 76fb06dc31
2 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
backend_proxy.cjs
View File

@@ -99,10 +99,20 @@ function startServer() {
}
}
let filePath = path.join(__dirname, 'dist', req.url === '/' ? 'index.html' : req.url);
// Fix for Windows: req.url starts with / which path.join treats as absolute
const requestPath = req.url === '/' ? '/index.html' : req.url;
// Remove leading slash for path.join to work relatively
const relativePath = requestPath.startsWith('/') ? requestPath.slice(1) : requestPath;
// Decoding URL (handling spaces etc)
const decodedPath = decodeURIComponent(relativePath);
let filePath = path.join(__dirname, 'dist', decodedPath);
// Prevent directory traversal
if (!filePath.startsWith(path.join(__dirname, 'dist'))) {
const distRoot = path.join(__dirname, 'dist');
if (!filePath.startsWith(distRoot)) {
console.log(`[Security Block] ${filePath} is outside ${distRoot}`);
res.writeHead(403);
res.end('Forbidden');
return;