fix: disable legacy server-side JavaScript in webroot by default in YAML-format confi...
[svrjs.git] / src / middleware / checkForbiddenPaths.js
blob8f98fab74c499687336f739a8be6caafdf7d9865
1 const os = require("os");
3 const useWebRootServerSideScript =
4 process.serverConfig.useWebRootServerSideScript;
6 module.exports = (req, res, logFacilities, config, next) => {
7 if (useWebRootServerSideScript) {
8 let decodedHrefWithoutDuplicateSlashes = "";
9 try {
10 decodedHrefWithoutDuplicateSlashes = decodeURIComponent(
11 req.parsedURL.pathname
12 ).replace(/\/+/g, "/");
13 // eslint-disable-next-line no-unused-vars
14 } catch (err) {
15 res.error(400);
16 return;
19 // Forbid access to server-side JavaScript, if it is in the webroot.
20 if (
21 decodedHrefWithoutDuplicateSlashes == "/serverSideScript.js" ||
22 (os.platform() == "win32" &&
23 decodedHrefWithoutDuplicateSlashes.toLowerCase() ==
24 "/serversidescript.js")
25 ) {
26 res.error(403);
27 logFacilities.errmessage("Access to server-side JavaScript is denied.");
28 return;
32 next();
35 module.exports.proxySafe = true;