koa-static - npm Package Compare versions

Comparing version 1.0.0 to 1.1.0

index.js

@@ -6,5 +6,9 @@
 
-var send = require('send');
+debug = require('debug')('koa-static');
 var path = require('path');
+var normalize = path.normalize;
+var basename = path.basename;
+var extname = path.extname;
 var resolve = path.resolve;
+var fs = require('fs');
 var join = path.join;
@@ -33,2 +37,3 @@
   // options
+  debug('static "%s" %j', root, opts);
   var root = resolve(root);
@@ -38,2 +43,3 @@ var index = opts.index || 'index.html';
   var redirect = false !== opts.redirect;
+  var hidden = opts.hidden || false;
 
@@ -43,14 +49,79 @@ return function(next){
       if ('GET' != this.method && 'HEAD' != this.method) return next();
+
+      // TODO: move this stuff into a lib for this.sendfile() etc
       var path = this.path;
+      var trailingSlash = '/' == path[path.length - 1];
 
-      // file stream
-      var stream = send(this.req, path)
-        .hidden(opts.hidden)
-        .maxage(maxage)
-        .index(index)
-        .root(root);
+      // normalize path
+      path = decode(path);
 
-      this.body = stream;
+      if (-1 == path) return this.error('failed to decode', 400);
+
+      // null byte(s)
+      if (~path.indexOf('\0')) return this.error('null bytes', 400);
+
+      // relative to root
+      path = normalize(join(root, path));
+
+      // malicious path, ignore
+      if (0 != path.indexOf(root)) return;
+
+      // hidden file support, ignore
+      if (!hidden && leadingDot(path)) return;
+
+      // index file support
+      if (index && trailingSlash) path += index;
+
+      // stat
+      try {
+        var stats = yield stat(path);
+      } catch (err) {
+        var notfound = ['ENOENT', 'ENAMETOOLONG', 'ENOTDIR'];
+        if (~notfound.indexOf(err.code)) return;  
+        err.status = 500;
+        throw err; 
+      }
+
+      // dir
+      if (stats.isDirectory() && redirect && !trailingSlash) {
+        this.redirect(this.path + '/');
+        this.status = 303;
+        return;
+      }
+
+      // stream
+      this.type = extname(path);
+      this.body = fs.createReadStream(path);
     }
   }
-}
+}
+
+/**
+ * Check if it's hidden.
+ */
+
+function leadingDot(path) {
+  return '.' == basename(path)[0];
+}
+
+/**
+ * Stat thunk.
+ */
+
+function stat(file) {
+  return function(done){
+    fs.stat(file, done);
+  }
+}
+
+/**
+ * Decode `path`.
+ */
+
+function decode(path) {
+  try {
+    return decodeURIComponent(path);
+  } catch (err) {
+    return -1;
+  }
+}

package.json

@@ -5,3 +5,3 @@ {
   "repository": "koajs/static",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "keywords": [
@@ -18,10 +18,11 @@ "koa",
   "devDependencies": {
-    "koa": "0.0.1"
+    "koa": "0.0.1",
+    "should": "~1.2.2",
+    "mocha": "~1.12.0",
+    "supertest": "~0.7.1"
   },
   "license": "MIT",
   "dependencies": {
-    "should": "~1.2.2",
-    "mocha": "~1.12.0",
-    "supertest": "~0.7.1"
+    "debug": "*"
   }
 }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Wildcard dependency

Quality

Package has a dependency with a floating version range. This can cause issues if the dependency publishes a new major version.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

3564

increased by75.57%

Dependency count

1

decreased by-66.67%

Lines of code

97

increased by142.5%

Worsened metrics

Dev dependency count

4

increased by300%

Number of medium quality alerts

1

increased byInfinity%

Number of low supply chain risk alerts

2

increased by100%

Dependency changes

• + Addeddebug@*

• - Removedmocha@~1.12.0

• - Removedshould@~1.2.2

• - Removedsupertest@~0.7.1

• - Removedcommander@0.6.1(transitive)

• - Removedcookiejar@1.3.0(transitive)

• - Removeddebug@0.7.4(transitive)

• - Removeddiff@1.0.2(transitive)

• - Removedemitter-component@1.0.0(transitive)

• - Removedformidable@1.0.9(transitive)

• - Removedglob@3.2.1(transitive)

• - Removedgraceful-fs@1.2.3(transitive)

• - Removedgrowl@1.7.0(transitive)

• - Removedinherits@1.0.2(transitive)

• - Removedjade@0.26.3(transitive)

• - Removedlru-cache@2.7.3(transitive)

• - Removedmethods@0.0.1(transitive)

• - Removedmime@1.2.5(transitive)

• - Removedminimatch@0.2.14(transitive)

• - Removedmkdirp@0.3.00.3.5(transitive)

• - Removedmocha@1.12.1(transitive)

• - Removedqs@0.6.5(transitive)

• - Removedshould@1.2.2(transitive)

• - Removedsigmund@1.0.1(transitive)

• - Removedsuperagent@0.15.1(transitive)

• - Removedsupertest@0.7.1(transitive)