c9-core/plugins/c9.preview/lib/middleware/sanitize-path-param.js

"use strict";

var Path = require("path");
var error = require("http-error");

module.exports = function sanitzePreviewPath(req, res, next) {
    
    var normalized;
    try {
        normalized = Path.normalize(decodeURIComponent(req.params.path));
    } catch(e) {
        return next(new error.BadRequest("URI malformed"));
    }

    // N.B. Path.normalize does not strip away when the path starts with "../"
    if (normalized)
        normalized = normalized.replace(/[.]{2}\//g, "") || "/";

    req.params.path = normalized;

    next();
};
c9-auto-bump 3.1.2814 2016-06-26 11:53:19 +00:00			`"use strict";`

			`var Path = require("path");`
			`var error = require("http-error");`

			`module.exports = function sanitzePreviewPath(req, res, next) {`

			`var normalized;`
			`try {`
			`normalized = Path.normalize(decodeURIComponent(req.params.path));`
			`} catch(e) {`
			`return next(new error.BadRequest("URI malformed"));`
			`}`

			`// N.B. Path.normalize does not strip away when the path starts with "../"`
			`if (normalized)`
			`normalized = normalized.replace(/[.]{2}\//g, "") \|\| "/";`

			`req.params.path = normalized;`

			`next();`
			`};`