From eabbc5332a213373f8d43e2dc2199fe9d4bd47af Mon Sep 17 00:00:00 2001
From: "A.Kadir Mutlu" <kingemkurdam@gmail.com>
Date: Fri, 1 May 2020 01:22:32 +0300
Subject: [PATCH 1/2] Fix Local File Inclusion vulnerability.

Fix Local File Inclusion vulnerability
Attacker can acces local file via assets router.
Sample Attack:  /assets/../../../../../../../../etc/passwd
---
 server/routes/assets.js | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/server/routes/assets.js b/server/routes/assets.js
index b85c5ef..0ee2a8c 100644
--- a/server/routes/assets.js
+++ b/server/routes/assets.js
@@ -2,8 +2,24 @@ import path from "path";
 import fs from "fs";
 const BASEPATH = process.env.BASEPATH;
 
+// From: https://github.com/pillarjs/send/blob/master/index.js#L63
+var UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/;
+
 const assets = (req, res) => {
   let filePath = req.originalUrl;
+
+  try {
+    filePath = decodeURIComponent(filePath);
+  } catch (err) {
+    return res.status(400).send(new Error("invalid url"));
+  }
+  if (~filePath.indexOf("\0")) {
+    return res.status(401).send(new Error("null byte attack dedected!!"));
+  }
+  if (UP_PATH_REGEXP.test(filePath)) {
+    return res.status(403).send(new Error("LFI attack dedected!!!"));
+  }
+
   if (BASEPATH) {
     filePath = req.originalUrl.replace(`/${BASEPATH}`, ``);
   }

From 93afedfacdcfbd771fe1b658d6549f8c5943cedb Mon Sep 17 00:00:00 2001
From: "A.Kadir Mutlu" <kingemkurdam@gmail.com>
Date: Fri, 1 May 2020 01:25:39 +0300
Subject: [PATCH 2/2] Update assets.js

---
 server/routes/assets.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/routes/assets.js b/server/routes/assets.js
index 0ee2a8c..736b94f 100644
--- a/server/routes/assets.js
+++ b/server/routes/assets.js
@@ -11,10 +11,10 @@ const assets = (req, res) => {
   try {
     filePath = decodeURIComponent(filePath);
   } catch (err) {
-    return res.status(400).send(new Error("invalid url"));
+    return res.status(403).send(new Error("invalid url"));
   }
   if (~filePath.indexOf("\0")) {
-    return res.status(401).send(new Error("null byte attack dedected!!"));
+    return res.status(403).send(new Error("null byte attack dedected!!"));
   }
   if (UP_PATH_REGEXP.test(filePath)) {
     return res.status(403).send(new Error("LFI attack dedected!!!"));