Verified Commit dba822ad authored by Aral Balkan's avatar Aral Balkan
Browse files

Closes #178: Site.js will refuse to serve root and home directories

This is a security feature as you would never want to do this.
parent b2fda849
......@@ -26,6 +26,10 @@ This release implements a lot of small improvements, some of which have been lon
- Displays a graceful error message if an attempt is made to serve a file instead of a directory (#208).
#### Security:
- Site.js will now refuse to serve the root or home directory for security reasons (#178).
#### Documentation:
- Document initial run `@hostname` error on Mac with stale DNS cache (#138).
......
......@@ -205,6 +205,8 @@ The above caveat aside, the command above is a shorthand for the full form of th
$ site serve . @localhost:443
```
__Note:__ Site.js will refuse to serve the root directory or your home directory for security reasons.
#### To serve on a different port
Just specify the port explicitly as in the following example:
......
......@@ -81,7 +81,7 @@ function enable (args) {
// or a .hugo folder or subfolder. In these cases, try to recover and do the right thing.
const {pathToServe, absolutePathToServe} = Util.magicallyRewritePathToServeIfNecessary(args.positional[0], _pathToServe)
// If there are aliase, we will add them to the configuration so they can
// If there are aliases, we will add them to the configuration so they can
// be passed to the serve command when Site.js is started.
const _aliases = args.named['aliases']
const aliases = _aliases === undefined ? '' : `--aliases=${_aliases}`
......
......@@ -6,6 +6,7 @@
//
//////////////////////////////////////////////////////////////////////
const os = require('os')
const path = require('path')
const clr = require('../lib/clr')
......@@ -14,9 +15,20 @@ class Util {
// It is a common mistake to start the server in a .dynamic folder (or subfolder)
// or a .hugo folder or subfolder, etc. In these cases, try to recover and do the right thing.
static magicallyRewritePathToServeIfNecessary (pathSpecified, pathToServe) {
if (pathToServe === '/') {
console.log(`\n ❌ ${clr('❨site.js❩ Error:', 'red')} Refusing to serve the root directory due to security concerns.\n`)
process.exit(1)
}
if (pathToServe === os.homedir()) {
console.log(`\n ❌ ${clr('❨site.js❩ Error:', 'red')} Refusing to serve home directory due to security concerns.\n`)
process.exit(1)
}
// Only attempt to magically fix the path to serve (if necessary)
// if the current directory way not specifically requested by the person.
let absolutePathToServe = path.resolve(pathToServe)
if (pathSpecified !== '.' && pathToServe === '.') {
const specialFolders = /\.dynamic.*$|\.hugo.*$|\.db.*$|\.wildcard.*$/
const intelligentAbsolutePathToServe = absolutePathToServe.replace(specialFolders, '')
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment