metro

mirror of https://github.com/status-im/metro.git synced 2025-01-30 21:05:11 +00:00

History

Shayne Sweeney 18612273be Fix asset path-traversal outside of roots

Summary:`/assets/...` requests previously supported path-traversal potentially exposing and serving (private) files outside roots.

**Test plan**

Prior to patching perform the a path-traversal request to the server:
```
GET /assets/../../../../etc/hosts HTTP/1.1
Cache-Control: no-store
Host: 127.0.0.1:8081
Connection: close
Accept-Encoding: gzip
User-Agent: okhttp/2.5.0
```

Apply patch and verify a `404` response with body: `Asset not found`

Test normal asset requests work.
Closes https://github.com/facebook/react-native/pull/6398

Differential Revision: D3034857

Pulled By: shayne

fb-gh-sync-id: f0e6714e4e3c5a63a3a402634a1eb5f3186d3561
shipit-source-id: f0e6714e4e3c5a63a3a402634a1eb5f3186d3561

2016-03-21 21:58:22 -07:00

src

Fix asset path-traversal outside of roots

2016-03-21 21:58:22 -07:00

.npmignore

[react-packager][streamline oss] Move open sourced JS source to react-native-github

2015-02-19 21:25:11 -08:00

index.js

Update node-haste and replace fast-path with node-haste's version to fix Windows compatibility

2016-03-11 06:00:30 -08:00

rn-babelrc.json

Use "babel-preset-react-native"

2016-02-03 08:15:32 -08:00