[flutter_tools] avoid serving files outside of expected paths (#58653)

2020-06-04 11:53:04 -07:00
parent 03524a426f
commit 3bc4a82605
2 changed files with 32 additions and 9 deletions
--- a/packages/flutter_tools/lib/src/build_runner/devfs_web.dart
+++ b/packages/flutter_tools/lib/src/build_runner/devfs_web.dart
@@ -275,7 +275,10 @@ class WebAssetServer implements AssetReader {
  // handle requests for JavaScript source, dart sources maps, or asset files.
  @visibleForTesting
  Future<shelf.Response> handleRequest(shelf.Request request) async {
-    final String requestPath = request.url.path;
+    String requestPath = request.url.path;
+    while (requestPath.startsWith('/')) {
+      requestPath = requestPath.substring(1);
+    }
    final Map<String, String> headers = <String, String>{};
    // If the response is `/`, then we are requesting the index file.
    if (request.url.path == '/' || request.url.path.isEmpty) {
@@ -339,8 +342,9 @@ class WebAssetServer implements AssetReader {
    }

    if (!file.existsSync()) {
-      final String webPath = globals.fs.path.join(
-        globals.fs.currentDirectory.childDirectory('web').path, requestPath);
+      final Uri webPath = globals.fs.currentDirectory
+        .childDirectory('web')
+        .uri.resolve(requestPath);
      file = globals.fs.file(webPath);
    }

@@ -524,16 +528,14 @@ class WebAssetServer implements AssetReader {
    final Directory dartSdkParent = globals.fs
      .directory(globals.artifacts.getArtifactPath(Artifact.engineDartSdkPath))
      .parent;
-    final File dartSdkFile = globals.fs.file(globals.fs.path
-      .joinAll(<String>[dartSdkParent.path, ...segments]));
+    final File dartSdkFile = globals.fs.file(dartSdkParent.uri.resolve(path));
    if (dartSdkFile.existsSync()) {
      return dartSdkFile;
    }

-    final String flutterWebSdk = globals.artifacts
-      .getArtifactPath(Artifact.flutterWebSdk);
-    final File webSdkFile = globals.fs
-      .file(globals.fs.path.joinAll(<String>[flutterWebSdk, ...segments]));
+    final Directory flutterWebSdk = globals.fs.directory(globals.artifacts
+      .getArtifactPath(Artifact.flutterWebSdk));
+    final File webSdkFile = globals.fs.file(flutterWebSdk.uri.resolve(path));

    return webSdkFile;
  }
--- a/packages/flutter_tools/test/general.shard/web/devfs_web_test.dart
+++ b/packages/flutter_tools/test/general.shard/web/devfs_web_test.dart
@@ -108,6 +108,27 @@ void main() {
    Platform: () => linux,
  }));

+  test('Removes leading slashes for valid requests to avoid requesting outside'
+    ' of served directory', () => testbed.run(() async {
+    globals.fs.file('foo.png').createSync();
+    globals.fs.currentDirectory = globals.fs.directory('project_directory')
+      ..createSync();
+
+    final File source = globals.fs.file(globals.fs.path.join('web', 'foo.png'))
+      ..createSync(recursive: true)
+      ..writeAsBytesSync(kTransparentImage);
+    final Response response = await webAssetServer
+      .handleRequest(Request('GET', Uri.parse('http://foobar////foo.png')));
+
+    expect(response.headers, allOf(<Matcher>[
+      containsPair(HttpHeaders.contentLengthHeader, source.lengthSync().toString()),
+      containsPair(HttpHeaders.contentTypeHeader, 'image/png'),
+      containsPair(HttpHeaders.etagHeader, isNotNull),
+      containsPair(HttpHeaders.cacheControlHeader, 'max-age=0, must-revalidate')
+    ]));
+    expect((await response.read().toList()).first, source.readAsBytesSync());
+  }));
+
  test('serves JavaScript files from in memory cache not from manifest', () => testbed.run(() async {
    webAssetServer.writeFile('foo.js', 'main() {}');