fix: travel path vulnerability on tutorial pages, merge pull request #233 from rcowsill/fix/path-traversal

lirantal · web-flow · commit 5e71697d2c07 · 2023-05-28T18:07:34.000+01:00
Fix path traversal vulnerability
diff --git a/app/routes/index.js b/app/routes/index.js
@@ -5,9 +5,7 @@ const ContributionsHandler = require("./contributions");
 const AllocationsHandler = require("./allocations");
 const MemosHandler = require("./memos");
 const ResearchHandler = require("./research");
-const {
-    environmentalScripts
-} = require("../../config/config");
+const tutorialRouter = require("./tutorial");
 const ErrorHandler = require("./error").errorHandler;
 
 const index = (app, db) => {
@@ -74,25 +72,12 @@ const index = (app, db) => {
         return res.redirect(req.query.url);
     });
 
-    // Handle redirect for learning resources link
-    app.get("/tutorial", (req, res) => {
-        return res.render("tutorial/a1", {
-            environmentalScripts
-        });
-    });
-
-    app.get("/tutorial/:page", (req, res) => {
-        const {
-            page
-        } = req.params;
-        return res.render(`tutorial/${page}`, {
-            environmentalScripts
-        });
-    });
-
     // Research Page
     app.get("/research", isLoggedIn, researchHandler.displayResearch);
 
+    // Mount tutorial router
+    app.use("/tutorial", tutorialRouter);
+
     // Error handling middleware
     app.use(ErrorHandler);
 };
diff --git a/app/routes/tutorial.js b/app/routes/tutorial.js
@@ -0,0 +1,39 @@
+const express = require("express");
+const {
+    environmentalScripts
+} = require("../../config/config");
+
+const router = express.Router();
+
+router.get("/", (req, res) => {
+    "use strict";
+    return res.render("tutorial/a1", {
+        environmentalScripts
+    });
+});
+
+const pages = [
+    "a1",
+    "a2",
+    "a3",
+    "a4",
+    "a5",
+    "a6",
+    "a7",
+    "a8",
+    "a9",
+    "a10",
+    "redos",
+    "ssrf"
+];
+
+for(const page of pages) {
+    router.get(`/${page}`, (req, res) => {
+        "use strict";
+        return res.render(`tutorial/${page}`, {
+            environmentalScripts
+        });
+    });
+}
+
+module.exports = router;
