Merge pull request #189 from strongloop/proper-path

Fix path joining/expanding

lib/providers/filesystem/index.js

@@ -40,9 +40,11 @@ function FileSystemProvider(options) {
 }
 
 var namePattern = new RegExp('[^' + path.sep + '/]+');
+// To detect any file/directory containing dotdot paths
+var containsDotDotPaths = /(^|[\\\/])\.\.([\\\/]|$)/;
 
 function validateName(name, cb) {
-  if (!name) {
+  if (!name || containsDotDotPaths.test(name)) {
     cb && process.nextTick(cb.bind(null, new Error(g.f('Invalid name: %s', name))));
     if (!cb) {
       console.error(g.f('{{FileSystemProvider}}: Invalid name: %s', name));

test/fs.test.js

@@ -161,4 +161,3 @@ describe('FileSystem based storage provider', function() {
     });
   });
 });
-

test/upload-download.test.js

@@ -173,6 +173,42 @@ describe('storage service', function() {
       });
   });
 
+  it('fails to upload using dotdot file path', function(done) {
+    request('http://localhost:' + app.get('port'))
+      .post('/containers/%2e%2e/upload')
+      .expect(200, function(err, res) {
+        assert(err);
+        done();
+      });
+  });
+
+  it('fails to upload using  dotdot file path', function(done) {
+    request('http://localhost:' + app.get('port'))
+      .post('%2e%2e/containers/upload')
+      .expect(200, function(err, res) {
+        assert(err);
+        done();
+      });
+  });
+
+  it('fails to upload using dotdot file path', function(done) {
+    request('http://localhost:' + app.get('port'))
+      .post('%2e%2e')
+      .expect(200, function(err, res) {
+        assert(err);
+        done();
+      });
+  });
+
+  it('fails to upload using dotdot file path', function(done) {
+    request('http://localhost:' + app.get('port'))
+      .post('/containers/upload/%2e%2e')
+      .expect(200, function(err, res) {
+        assert(err);
+        done();
+      });
+  });
+
   it('uploads files with renamer', function(done) {
     request('http://localhost:' + app.get('port'))
       .post('/imageContainers/album1/upload')