Re:: "absolutize" a path in Luvit

[Vladimir Dronnikov]

Path.normalize() and Path.resolve() will help you

12.07.2012 1:18 пользователь "Enrique Garcia Cota" <kik...@gmail.com> написал:

Hi there,

I started hacking around with with Luvit just today. I am pretty experienced in Lua and Ruby, but not so much in node.js . So please be gentle :)

While examining the "static file server" in the examples folder, I realized that it was not very "secure" - someone could, for example, use "dot dot" in the url to get access to files outside the www root. In order to learn, I'm trying to add "security", so those upper accesses are rejected. I would like "dot dot" to be allowed if the resulting path was viewable to users.

IMHO the easiest way to do that would be to finding a way to "absolutize" folders. Once the "root" path and the "request" path are absolutized, finding out whether one is inside the other is simple.

Ideally, I would like something similar to this:

path.absolutize(".") -- return /home/username/projects/luvit/server

I checked, and path doesn't seem to offer this. I think neither does node, so maybe I'm just asking the wrong question.

Is what I'm asking possible?

Thanks a lot,

Enrique

[Enrique Garcia Cota]

Hi,

Thanks for answering so fast.

Path.normalize() and Path.resolve() will help you

I tried both of those, but none seems to be able to absolutize a path starting with a dot:

> path = require "path"

> path.normalize(".")

"."

> path.resolve(".", ".")

"./."

> path.normalize(path.resolve(".", "."))

"."

I want something similar to "/home/username/projects/luvit" instead.

Regards,

Enrique

[Enrique Garcia Cota]

I have found an easy enough to understand implementation of absolutize in rubinious (ruby):

https://github.com/rubinius/rubinius/blob/master/kernel/common/file.rb#L395

Two questions:

• Does Luvit have access to environment variables (such as $HOME)?
• I think I can try to make a patch for Luvit adding this method to path. Would the Luvit people be interested on it, or is it too specific?

Best regards,

Enrique

[Vladimir Dronnikov]

> I have found an easy enough to understand implementation of absolutize in
> rubinious (ruby):
>
> https://github.com/rubinius/rubinius/blob/master/kernel/common/file.rb#L395
>

I'd recommend you to put security efforts to
https://github.com/dvv/luvit-static -- it's used to serve
http://luvit.io

> Two questions:
>
> Does Luvit have access to environment variables (such as $HOME)?

`process.env.HOME`

> I think I can try to make a patch for Luvit adding this method to path.
> Would the Luvit people be interested on it, or is it too specific?

we have `__dirname` in modules, plus `process.cwd()` to get absolute
current path.
So, consider trying
`require('path').normalize(require('path').resolve(process.cwd(),
'../aa/../b'))` first to see if it fits

--Vladimir

[Enrique Garcia Cota]

I didn't know about __dirname and process.cwd() bits. I will check them out!

I'd recommend you to put security efforts to
https://github.com/dvv/luvit-static -- it's used to serve
http://luvit.io

I was thinking about implementing a path.expand(filepath, dir) method, but for luvit itself. Then it could be used in luvit-static, or any other project. I think it is general enough, but I'm not certain (especially since node doesn't seem to have an absolutize method neither).

Let me tinker with the code for a while and see what I can get.

Enrique

[Vladimir Dronnikov]

consider joining the club -- #luvit at irc.freenode.net