status-im
/
metro
mirror of https://github.com/status-im/metro.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
metro/react-packager
History
Shayne Sweeney 18612273be Fix asset path-traversal outside of roots 
Summary:`/assets/...` requests previously supported path-traversal potentially exposing and serving (private) files outside roots.

**Test plan**

Prior to patching perform the a path-traversal request to the server:
```
GET /assets/../../../../etc/hosts HTTP/1.1
Cache-Control: no-store
Host: 127.0.0.1:8081
Connection: close
Accept-Encoding: gzip
User-Agent: okhttp/2.5.0
```

Apply patch and verify a `404` response with body: `Asset not found`

Test normal asset requests work.
Closes https://github.com/facebook/react-native/pull/6398

Differential Revision: D3034857

Pulled By: shayne

fb-gh-sync-id: f0e6714e4e3c5a63a3a402634a1eb5f3186d3561
shipit-source-id: f0e6714e4e3c5a63a3a402634a1eb5f3186d3561
 		2016-03-21 21:58:22 -07:00
..
src Fix asset path-traversal outside of roots 2016-03-21 21:58:22 -07:00
.npmignore [react-packager][streamline oss] Move open sourced JS source to react-native-github 2015-02-19 21:25:11 -08:00
index.js Update node-haste and replace fast-path with node-haste's version to fix Windows compatibility 2016-03-11 06:00:30 -08:00
rn-babelrc.json Use "babel-preset-react-native" 2016-02-03 08:15:32 -08:00