Restify static serve exposing other files

Question

I'm using restify for node to create a simple API. I want to have a directory /public where people can simply browse to that directory and download the file they browse to.

To accomplish this, I have used in /routes/public.js:

server.get(/\/public\/?.*/, restify.serveStatic({
    directory: __dirname + '/../'
}));

as my file structure is like:

index.js
/routes
    public.js
/public
    files
    to
    be
    served

however, I have noticed a big security issue. By browsing to http://domain.com/public/../index.js the source code can be downloaded! Obviously, I do not want this to happen.

Is this a permissions job or is there something else I should be doing? Thanks

Answer 1

Restify does check to make sure that you're not serving files outside of the specified directory. You're specifying the root directory for static files as __dirname + '/../' which is the root of the application. That means all of the files in your application can be served via static. If you only want files in the ./public/ folder served by restify, you have to use that as the directory.

The problem stems from the confusing (and in my opinion poorly planned) way they handle mapping routes to static files. As you said, the full route is included in the path of the requested file. This leads to awkward situations like this one. You have a public folder, and also want the route to include public. That means you have to have a ./public/public folder for your resources. An alternative approach would be to not include public in your route. You can setup your static handler like this:

server.get(/.*/, restify.serveStatic({
  directory: './public/'
}));

Then a request to /somefile.txt would route to `./public/somefile.txt'.