serve-handler
Advanced tools
Comparing version 3.2.2 to 3.2.3
{ | ||
"name": "serve-handler", | ||
"version": "3.2.2", | ||
"version": "3.2.3", | ||
"description": "The routing foundation of `serve` and static deployments on Now", | ||
@@ -5,0 +5,0 @@ "main": "src/index.js", |
@@ -493,5 +493,4 @@ // Native | ||
const handlers = getHandlers(methods); | ||
const relativePath = decodeURIComponent(url.parse(request.url).pathname); | ||
let absolutePath = path.join(current, relativePath); | ||
let relativePath = null; | ||
let acceptsJSON = null; | ||
@@ -503,2 +502,14 @@ | ||
try { | ||
relativePath = decodeURIComponent(url.parse(request.url).pathname); | ||
} catch (err) { | ||
return sendError(response, acceptsJSON, current, handlers, config, { | ||
statusCode: 400, | ||
code: 'bad_request', | ||
message: 'Bad Request' | ||
}); | ||
} | ||
let absolutePath = path.join(current, relativePath); | ||
// Prevent path traversal vulnerabilities. We could do this | ||
@@ -505,0 +516,0 @@ // by ourselves, but using the package covers all the edge cases. |
SPDX disjunction
LicenseSPDX disjunction for an artifact's license information
Found 1 instance in 1 package
SPDX disjunction
LicenseSPDX disjunction for an artifact's license information
Found 1 instance in 1 package
38094
547