gitignore local user file

[perso/Immae/Projets/Nodejs/Surfer.git] / src / files.js

diff --git a/src/files.js b/src/files.js
index 68dfea308dccd04265379508dd89b271fc9ce5f1..747acf7cf1cf5b586af88e32ed3741094ae00577 100644 (file)
--- a/src/files.js
+++ b/src/files.js
@@ -61,6 +61,10 @@ function createDirectory(targetPath, callback) {
     });
 }
 
+function isProtected(targetPath) {
+    return targetPath.indexOf(getAbsolutePath('_admin')) === 0;
+}
+
 function getAbsolutePath(filePath) {
     var absoluteFilePath = path.resolve(path.join(gBasePath, filePath));
 
@@ -73,7 +77,7 @@ function removeBasePath(filePath) {
 }
 
 function get(req, res, next) {
-    var filePath = req.params[0];
+    var filePath = decodeURIComponent(req.params[0]);
     var absoluteFilePath = getAbsolutePath(filePath);
     if (!absoluteFilePath) return next(new HttpError(403, 'Path not allowed'));
 
@@ -108,13 +112,13 @@ function get(req, res, next) {
 }
 
 function put(req, res, next) {
-    var filePath = req.params[0];
+    var filePath = decodeURIComponent(req.params[0]);
 
     if (!(req.files && req.files.file) && !req.query.directory) return next(new HttpError(400, 'missing file or directory'));
     if ((req.files && req.files.file) && req.query.directory) return next(new HttpError(400, 'either file or directory'));
 
     var absoluteFilePath = getAbsolutePath(filePath);
-    if (!absoluteFilePath) return next(new HttpError(403, 'Path not allowed'));
+    if (!absoluteFilePath || isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed'));
 
     fs.stat(absoluteFilePath, function (error, result) {
         if (error && error.code !== 'ENOENT') return next(new HttpError(500, error));
@@ -141,13 +145,15 @@ function put(req, res, next) {
 }
 
 function del(req, res, next) {
-    var filePath = req.params[0];
+    var filePath = decodeURIComponent(req.params[0]);
     var recursive = !!req.query.recursive;
     var dryRun = !!req.query.dryRun;
 
     var absoluteFilePath = getAbsolutePath(filePath);
     if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
 
+    if (isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed'));
+
     // absoltueFilePath has to have the base path prepended
     if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(404, 'Not found'));
 
@@ -159,7 +165,7 @@ function del(req, res, next) {
         // add globs to get file listing
         if (result.isDirectory()) absoluteFilePath += '/**';
 
-        rm(absoluteFilePath, { dryRun: dryRun }).then(function (result) {
+        rm(absoluteFilePath, { dryRun: dryRun, force: true }).then(function (result) {
             result = result.map(removeBasePath);
             next(new HttpSuccess(200, { entries: result }));
         }, function (error) {