Skip to content

fix: if serve: false and root is not defined, only allow sending files with absolute path #540

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 16, 2025
Merged

fix: if serve: false and root is not defined, only allow sending files with absolute path #540

merged 3 commits into from
Oct 16, 2025

Conversation

@Uzlopak
Copy link
Contributor

@Uzlopak Uzlopak commented Oct 15, 2025
edited
Loading

If serve is set to false, it only allows to send files specified with an absolute path. Or else sendFile makes no sense anymore, despite that we want to allow the use of sendFile.

Checklist

@Uzlopak Uzlopak mentioned this pull request Oct 15, 2025
Closed
ilteoood
ilteoood reviewed Oct 15, 2025
View reviewed changes
ilteoood
ilteoood reviewed Oct 15, 2025
View reviewed changes
Copy link
Contributor

@ilteoood ilteoood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Uzlopak
Copy link
Contributor Author

Uzlopak commented Oct 15, 2025

I would like to have a review by @climba03003 or @is2ei regarding the security aspect.

@is2ei
Copy link
Contributor

is2ei commented Oct 16, 2025

I think @climba03003 would be the right person, as he originally mentioned the security concern.

@Uzlopak
Copy link
Contributor Author

Uzlopak commented Oct 16, 2025

I pinged him on discord. Lets see if he has time.

climba03003
climba03003 approved these changes Oct 16, 2025
View reviewed changes
Copy link
Member

@climba03003 climba03003 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@Uzlopak Uzlopak linked an issue Oct 16, 2025 that may be closed by this pull request
When using serve: false, root should be optional #460
Closed
2 tasks
Uzlopak
Uzlopak commented Oct 16, 2025
View reviewed changes
@Uzlopak
fix
7b5ad30 
If serve is set explicitly to false then root is required
If root is set, it must be validated
@Uzlopak
Copy link
Contributor Author

Uzlopak commented Oct 16, 2025

@is2ei
Can you have a review regarding the root option check?

is2ei
is2ei approved these changes Oct 16, 2025
View reviewed changes
Copy link
Contributor

@is2ei is2ei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@Uzlopak Uzlopak merged commit 27f2bfe into main Oct 16, 2025
17 checks passed
@Uzlopak Uzlopak deleted the no-mandatory-root branch October 16, 2025 18:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ilteoood ilteoood ilteoood left review comments

@is2ei is2ei is2ei approved these changes

@climba03003 climba03003 climba03003 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

When using serve: false, root should be optional

5 participants

@Uzlopak @is2ei @ilteoood @climba03003