From 82de4de5ab92e8237d713285104e4b8452927352 Mon Sep 17 00:00:00 2001
From: KoyamaSohei <koyamaso0309@gmail.com>
Date: Fri, 13 Dec 2019 14:38:56 +0900
Subject: [PATCH] examples: fix path traversal in downloads example

closes #4120
---
 examples/downloads/index.js  | 7 ++++++-
 package.json                 | 1 +
 test/acceptance/downloads.js | 8 ++++++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/examples/downloads/index.js b/examples/downloads/index.js
index 91c52bb87c..62e7fa6e3e 100644
--- a/examples/downloads/index.js
+++ b/examples/downloads/index.js
@@ -6,8 +6,13 @@
 
 var express = require('../../');
 var path = require('path');
+var resolvePath = require('resolve-path')
+
 var app = module.exports = express();
 
+// path to where the files are stored on disk
+var FILES_DIR = path.join(__dirname, 'files')
+
 app.get('/', function(req, res){
   res.send('<ul>' +
     '<li>Download <a href="/files/notes/groceries.txt">notes/groceries.txt</a>.</li>' +
@@ -20,7 +25,7 @@ app.get('/', function(req, res){
 // /files/* is accessed via req.params[0]
 // but here we name it :file
 app.get('/files/:file(*)', function(req, res, next){
-  var filePath = path.join(__dirname, 'files', req.params.file);
+  var filePath = resolvePath(FILES_DIR, req.params.file)
 
   res.download(filePath, function (err) {
     if (!err) return; // file sent
diff --git a/package.json b/package.json
index daa2f0d3a1..fe5d07553f 100644
--- a/package.json
+++ b/package.json
@@ -75,6 +75,7 @@
     "multiparty": "4.2.2",
     "nyc": "15.1.0",
     "pbkdf2-password": "1.2.1",
+    "resolve-path": "1.4.0",
     "should": "13.2.3",
     "supertest": "6.2.2",
     "vhost": "~3.0.2"
diff --git a/test/acceptance/downloads.js b/test/acceptance/downloads.js
index ae44388354..6db43b351e 100644
--- a/test/acceptance/downloads.js
+++ b/test/acceptance/downloads.js
@@ -36,4 +36,12 @@ describe('downloads', function(){
       .expect(404, done)
     })
   })
+
+  describe('GET /files/../index.js', function () {
+    it('should respond with 403', function (done) {
+      request(app)
+        .get('/files/../index.js')
+        .expect(403, done)
+    })
+  })
 })