Fix a bug in asset server when using relative project roots

Summary:This PR fixes a bug where when using relative roots for the packager server, asset paths would be deemed invalid by the recently introduced security check. Resolving the root to an absolute path fixes that problem.

I'd be happy to write a regression test for this but I had a hard time setting up a mock file system with relative paths. If it is required, some help would be appreciated...
Closes https://github.com/facebook/react-native/pull/7161

Differential Revision: D3214840

fb-gh-sync-id: 08e13fb9f94a98206fd2d090f74a8b63ba2bf80f
fbshipit-source-id: 08e13fb9f94a98206fd2d090f74a8b63ba2bf80f
This commit is contained in:
Alexander Micklewright 2016-04-22 16:05:46 -07:00 committed by Facebook Github Bot 5
parent 4b907d2312
commit 3881694892
1 changed files with 2 additions and 1 deletions

View File

@ -129,13 +129,14 @@ class AssetServer {
_findRoot(roots, dir) {
return Promise.all(
roots.map(root => {
const absRoot = path.resolve(root);
// important: we want to resolve root + dir
// to ensure the requested path doesn't traverse beyond root
const absPath = path.resolve(root, dir);
return stat(absPath).then(fstat => {
// keep asset requests from traversing files
// up from the root (e.g. ../../../etc/hosts)
if (!absPath.startsWith(root)) {
if (!absPath.startsWith(absRoot)) {
return {path: absPath, isValid: false};
}
return {path: absPath, isValid: fstat.isDirectory()};