From ef7b17f9284e95326247af0d8ed0e794d856ed87 Mon Sep 17 00:00:00 2001 From: Jafar Akhondali Date: Tue, 30 Jul 2024 18:45:52 +0200 Subject: [PATCH] Block malicious looking requests to prevent path traversal attacks. --- NodeStudy/DEMO_01/index.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/NodeStudy/DEMO_01/index.js b/NodeStudy/DEMO_01/index.js index b813eff..dd64d04 100644 --- a/NodeStudy/DEMO_01/index.js +++ b/NodeStudy/DEMO_01/index.js @@ -14,6 +14,11 @@ let server = http.createServer(); server.on('request', function (request, response) { + if (path.normalize(decodeURI(request.url)) !== decodeURI(request.url)) { + response.statusCode = 403; + response.end(); + return; + } /** * response 对象有一个方法:write 可以用来给客户端发送响应数据 * write 可以使用多次,但是最后一定要使用 end 来结束响应,否则客户端会一直等待 response.end()