rollup-plugin-serve - npm Package Compare versions

Comparing version 1.0.1 to 1.0.2

CHANGELOG.md

@@ -5,2 +5,6 @@ # Changelog
 
+## [1.0.2] - 2020-07-17
+### Fixed
+- Fix path traversal issue
+
 ## [1.0.1] - 2019-01-27
@@ -7,0 +11,0 @@ ### Added

dist/index.cjs.js

@@ -34,4 +34,7 @@ 'use strict';
     // Remove querystring
-    var urlPath = decodeURI(request.url.split('?')[0]);
+    var unsafePath = decodeURI(request.url.split('?')[0]);
 
+    // Don't allow path traversal
+    var urlPath = path.normalize(unsafePath);
+
     Object.keys(options.headers).forEach(function (key) {
@@ -38,0 +41,0 @@ response.setHeader(key, options.headers[key]);

dist/index.es.js

 import { readFile } from 'fs';
 import { createServer } from 'https';
 import { createServer as createServer$1 } from 'http';
-import { resolve } from 'path';
+import { resolve, normalize } from 'path';
 import mime from 'mime';
@@ -30,4 +30,7 @@ import opener from 'opener';
     // Remove querystring
-    var urlPath = decodeURI(request.url.split('?')[0]);
+    var unsafePath = decodeURI(request.url.split('?')[0]);
 
+    // Don't allow path traversal
+    var urlPath = normalize(unsafePath);
+
     Object.keys(options.headers).forEach(function (key) {
@@ -34,0 +37,0 @@ response.setHeader(key, options.headers[key]);

package.json

 {
   "name": "rollup-plugin-serve",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "Serve your rolled up bundle",
@@ -5,0 +5,0 @@ "main": "dist/index.cjs.js",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

18781

increased by1.27%

Lines of code

292

increased by1.39%

No dependency changes