serve-handler
Advanced tools
Comparing version 5.0.8 to 6.0.0
{ | ||
"name": "serve-handler", | ||
"version": "5.0.8", | ||
"version": "6.0.0", | ||
"description": "The routing foundation of `serve` and static deployments on Now", | ||
@@ -5,0 +5,0 @@ "main": "src/index.js", |
@@ -61,2 +61,3 @@ # serve-handler | ||
| [`renderSingle`](#rendersingle-boolean) | If a directory only contains one file, render it | | ||
| [`symlinks`](#symlinks-boolean) | Resolve symlinks instead of rendering a 404 error | | ||
@@ -263,2 +264,16 @@ ### public (String) | ||
### symlinks (Boolean) | ||
For security purposes, symlinks are disabled by default. If `serve-handler` encounters a symlink, it will treat it as if it doesn't exist in the first place. In turn, a 404 error is rendered for that path. | ||
However, this behavior can easily be adjusted: | ||
```js | ||
{ | ||
"symlinks": true | ||
} | ||
``` | ||
Once this property is set as shown above, all symlinks will automatically be resolved to their targets. | ||
## Error templates | ||
@@ -280,3 +295,4 @@ | ||
await handler(request, response, undefined, { | ||
stat(path) {}, | ||
lstat(path) {}, | ||
realpath(path) {}, | ||
createReadStream(path, config) {} | ||
@@ -283,0 +299,0 @@ readdir(path) {}, |
// Native | ||
const {promisify} = require('util'); | ||
const path = require('path'); | ||
const {stat, createReadStream, readdir} = require('fs'); | ||
const {realpath, lstat, createReadStream, readdir} = require('fs'); | ||
@@ -330,6 +330,6 @@ // Packages | ||
if (methods.stat) { | ||
stats = await handlers.stat(filePath, true); | ||
if (methods.lstat) { | ||
stats = await handlers.lstat(filePath, true); | ||
} else { | ||
stats = await handlers.stat(filePath); | ||
stats = await handlers.lstat(filePath); | ||
} | ||
@@ -470,3 +470,3 @@ | ||
try { | ||
stats = await handlers.stat(errorPage); | ||
stats = await handlers.lstat(errorPage); | ||
} catch (err) { | ||
@@ -517,3 +517,4 @@ if (err.code !== 'ENOENT') { | ||
const getHandlers = methods => Object.assign({ | ||
stat: promisify(stat), | ||
lstat: promisify(lstat), | ||
realpath: promisify(realpath), | ||
createReadStream, | ||
@@ -586,3 +587,3 @@ readdir: promisify(readdir), | ||
try { | ||
stats = await handlers.stat(absolutePath); | ||
stats = await handlers.lstat(absolutePath); | ||
} catch (err) { | ||
@@ -599,3 +600,3 @@ if (err.code !== 'ENOENT') { | ||
try { | ||
const related = await findRelated(current, relativePath, rewrittenPath, handlers.stat); | ||
const related = await findRelated(current, relativePath, rewrittenPath, handlers.lstat); | ||
@@ -614,3 +615,3 @@ if (related) { | ||
try { | ||
stats = await handlers.stat(absolutePath); | ||
stats = await handlers.lstat(absolutePath); | ||
} catch (err) { | ||
@@ -661,3 +662,8 @@ if (err.code !== 'ENOENT') { | ||
if (!stats) { | ||
const isSymLink = stats && stats.isSymbolicLink(); | ||
// There are two scenarios in which we want to reply with | ||
// a 404 error: Either the path does not exist, or it is a | ||
// symlink while the `symlinks` option is disabled (which it is by default). | ||
if (!stats || (!config.symlinks && isSymLink)) { | ||
// allow for custom 404 handling | ||
@@ -671,2 +677,10 @@ return handlers.sendError(absolutePath, response, acceptsJSON, current, handlers, config, { | ||
// If we figured out that the target is a symlink, we need to | ||
// resolve the symlink and run a new `stat` call just for the | ||
// target of that symlink. | ||
if (isSymLink) { | ||
absolutePath = await handlers.realpath(absolutePath); | ||
stats = await handlers.lstat(absolutePath); | ||
} | ||
const streamOpts = {}; | ||
@@ -680,2 +694,3 @@ | ||
const {start, end} = range[0]; | ||
streamOpts.start = start; | ||
@@ -682,0 +697,0 @@ streamOpts.end = end; |
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
43368
633
320
0