tools/run-dev-server: Don't serve contents outside of the repo Bug: 221101533 Change-Id: I4fa8e1b485805f829f2f0d771b713d45d649a024

commit: d24cfc52c3c088f3ea5606b3bed19c67df16a8fd [log] [tgz]
author: Primiano Tucci <primiano@google.com> Thu Feb 24 21:24:49 2022 +0000
committer: Primiano Tucci <primiano@google.com> Thu Feb 24 21:24:49 2022 +0000
tree: 6ad5f00438a3167b7cb7e0718d86db0965e22b6b
parent: a4b4f46c45bc2c9a6d633d6d912645f3fef64968 [diff]
diff --git a/ui/build.js b/ui/build.js
index e01e45d..e043026 100644
--- a/ui/build.js
+++ b/ui/build.js

@@ -466,6 +466,13 @@
           absPath = pjoin(ROOT_DIR, uri);
         }
 
+        // Don't serve contents outside of the project root (b/221101533).
+        if (path.relative(ROOT_DIR, absPath).startsWith('..')) {
+          res.writeHead(403);
+          res.end('403 Forbidden - Request path outside of the repo root');
+          return;
+        }
+
         fs.readFile(absPath, function(err, data) {
           if (err) {
             res.writeHead(404);
commit	d24cfc52c3c088f3ea5606b3bed19c67df16a8fd	[log] [tgz]
author	Primiano Tucci <primiano@google.com>	Thu Feb 24 21:24:49 2022 +0000
committer	Primiano Tucci <primiano@google.com>	Thu Feb 24 21:24:49 2022 +0000
tree	6ad5f00438a3167b7cb7e0718d86db0965e22b6b
parent	a4b4f46c45bc2c9a6d633d6d912645f3fef64968 [diff]