Thanks for pointing this out. Fixed this particular bug!

q3k · on Feb 26, 2019

You also need to report this to security@npmjs.com so they post an advisory [1] and mark the existing versions as vulnerable.

[1] - https://www.npmjs.com/advisories

Sephr · on Feb 26, 2019

Anyone, including yourself can do that.

rarecoil · on Feb 27, 2019

Everyone's talking about it but nobody did it, so I did.

cat199 · on Feb 26, 2019

or, the person who should do it should do it and not rely on others to do their job for them?

danr4 · on Feb 26, 2019

it's not their job. there's a reason anyone can do it.

wesleytodd · on Feb 26, 2019

Seems like your fix[1] for this is a bit fast. You are already importing `path` in that file. Also, you can do this with just one `path.relative`. Lastly, the url package method you are using is deprecated[2].

[1] https://github.com/remoteinterview/zero/commit/b4af5325c388e... [2] https://nodejs.org/api/url.html#url_legacy_url_api

the_mitsuhiko · on Feb 26, 2019

This fix does not even work on windows. You can still request data on a different drive.

hombre_fatal · on Feb 26, 2019

A simpler fix might be to canonicalize (i.e. no "..") the public folder path and the requested file path and then ensure the public path is a prefix of the other.

Kalium · on Feb 26, 2019

Any fix also needs to be sure to resolve any symlinks before doing a prefix check.