fix!: don't serve static files unless static.fsRoot is explicitly spe…

…cified
globalbrain · Nov 10, 2024 · ba49813 · ba49813
1 parent dbaf23a
commit ba49813
Show file tree

Hide file tree

Showing 8 changed files with 59 additions and 53 deletions.
diff --git a/README.md b/README.md
@@ -30,7 +30,7 @@ This will serve the `api` directory as an API on `http://localhost:3000/api`.
 To run the server in development mode, you can use the following command:
 
 ```sh
-DENO_ENV=development deno run --watch --allow-env --allow-read --allow-net server.ts
+DENO_ENV=development deno run --watch --allow-env --allow-ffi --allow-read --allow-net server.ts
 ```
 
 This will restart the server on file changes and will watch for changes in the `api` directory.
@@ -96,6 +96,10 @@ Here, `Request` and `Response` are Deno's built-in [request](https://docs.deno.c
 
 Also, note that the API routes will take precedence over static files. It is recommended to specify non-conflicting URL roots for API and static routes.
 
+## Security Considerations
+
+- Do not set `static.fsRoot` to a directory that contains sensitive files. The server will serve any file in that directory including dotfiles.
+
 ## Contributing
 
 This project is a work in progress and is not yet ready for production use. It is meant as an internal tool for [Global Brain Corporation](https://globalbrains.com/en), but we welcome external contributions and feedback. Please feel free to open an issue or a pull request. This project follows Semantic Versioning and the Conventional Commits guidelines.

diff --git a/deno.json b/deno.json
@@ -26,7 +26,8 @@
     "lint:fail": "deno lint",
     "test": "deno test -A",
     "test:watch": "deno test -A --watch",
-    "check": "deno task format:fail && deno task lint:fail && deno task test",
+    "type": "deno check **/*.ts",
+    "check": "deno task format:fail && deno task lint:fail && deno task type && deno task test",
     "release": "deno run -A ./scripts/release.ts",
     "update": "deno run -A ./scripts/update.ts"
   },

diff --git a/deno.lock b/deno.lock
diff --git a/deps.ts b/deps.ts
@@ -1,8 +1,8 @@
-export { abortable, deadline, debounce, delay, retry } from 'jsr:@std/async@^1.0.7'
+export { abortable, deadline, debounce, delay, retry } from 'jsr:@std/async@^1.0.8'
 export { walk } from 'jsr:@std/fs@^1.0.5'
 export { serveDir, type ServeDirOptions, STATUS_CODE, STATUS_TEXT, type StatusCode } from 'jsr:@std/http@^1.0.9'
-export { joinGlobs, toFileUrl } from 'jsr:@std/path@^1.0.7'
-export { normalize as posixNormalize } from 'jsr:@std/path@^1.0.7/posix/normalize'
+export { joinGlobs, toFileUrl } from 'jsr:@std/path@^1.0.8'
+export { normalize as posixNormalize } from 'jsr:@std/path@^1.0.8/posix/normalize'
 export { escape } from 'jsr:@std/regexp@^1.0.0'
 export { watch } from 'npm:chokidar@^3.6.0'
 export type { ZodType } from 'npm:zod@^3.23.8'
diff --git a/dev_deps.ts b/dev_deps.ts
@@ -10,16 +10,16 @@ export {
   type SelectOptions,
 } from 'jsr:@cliffy/prompt@^1.0.0-rc.7'
 export { as, ensure, is } from 'jsr:@core/unknownutil@^4.3.0'
-export { createGraph, load as loadGraph } from 'jsr:@deno/graph@^0.83.4'
-export type { DependencyJson, ResolvedDependency } from 'jsr:@deno/graph@^0.83.4/types'
-export { assertEquals, assertExists } from 'jsr:@std/assert@^1.0.6'
+export { createGraph, load as loadGraph } from 'jsr:@deno/graph@^0.84.1'
+export type { DependencyJson, ResolvedDependency } from 'jsr:@deno/graph@^0.84.1/types'
+export { assertEquals, assertExists } from 'jsr:@std/assert@^1.0.7'
 export { parseArgs } from 'jsr:@std/cli@^1.0.6'
 export { Spinner } from 'jsr:@std/cli@^1.0.6/unstable-spinner'
 export { filterEntries } from 'jsr:@std/collections@^1.0.9'
 export { bold, cyan, dim, green, magenta } from 'jsr:@std/fmt@^1.0.3/colors'
 export { expandGlob } from 'jsr:@std/fs@^1.0.5'
 export { getAvailablePort } from 'jsr:@std/net@^1.0.4/get-available-port'
-export { dirname, fromFileUrl, relative, resolve, toFileUrl } from 'jsr:@std/path@^1.0.7'
+export { dirname, fromFileUrl, relative, resolve, toFileUrl } from 'jsr:@std/path@^1.0.8'
 export { escape } from 'jsr:@std/regexp@^1.0.0'
 export * as SemVer from 'jsr:@std/semver@^1.0.3'
 

diff --git a/scripts/release.ts b/scripts/release.ts
@@ -65,11 +65,11 @@ const oldVersion = SemVer.parse(denoJson.version)
 const defaultTheme = { prefix: green('? '), listPointer: cyan('❯'), pointer: cyan('›') }
 
 class Confirm extends _Confirm {
-  public getDefaultSettings(options: ConfirmOptions) {
+  public override getDefaultSettings(options: ConfirmOptions) {
     return { ...super.getDefaultSettings(options), active: 'yes', inactive: 'no', default: true, ...defaultTheme }
   }
 
-  protected addChar(char: string): void {
+  protected override addChar(char: string): void {
     if (char.toLowerCase() === 'y') {
       this.inputValue = 'yes'
       this.submit()
@@ -81,11 +81,11 @@ class Confirm extends _Confirm {
 }
 
 class Select extends _Select<string> {
-  public getDefaultSettings(options: SelectOptions<string>) {
+  public override getDefaultSettings(options: SelectOptions<string>) {
     return { ...super.getDefaultSettings(options), ...defaultTheme }
   }
 
-  protected highlight(name: string | number): string {
+  protected override highlight(name: string | number): string {
     const isCurrent = name === this.options[this.listIndex]?.name
 
     name = name + ''
@@ -123,7 +123,7 @@ class Select extends _Select<string> {
 }
 
 class Input extends _Input {
-  public getDefaultSettings(options: InputOptions) {
+  public override getDefaultSettings(options: InputOptions) {
     return { ...super.getDefaultSettings(options), ...defaultTheme }
   }
 }

diff --git a/src/router.ts b/src/router.ts
@@ -290,7 +290,7 @@ export async function createRouter(
   { fsRoot, urlRoot = '', static: statik, dev = false }: {
     fsRoot: string
     urlRoot?: string
-    static?: ServeDirOptions
+    static?: ServeDirOptions & { fsRoot: string }
     dev?: boolean
   },
 ): Promise<{ handler: (req: Request) => Promise<Response> }> {
@@ -374,7 +374,7 @@ export async function createRouter(
       }
     }
 
-    if (statik) {
+    if (statik?.fsRoot) {
       return serveDir(req, { quiet: true, ...statik })
     }
 

diff --git a/src/sentry.ts b/src/sentry.ts
@@ -24,10 +24,10 @@ import {
   setHttpStatus,
   startSpan,
   withIsolationScope,
-} from 'https://esm.sh/@sentry/core@^8.35.0'
-import * as Sentry from 'https://esm.sh/@sentry/deno@^8.35.0'
-import type { Client, IntegrationFn, SpanAttributes } from 'https://esm.sh/@sentry/types@^8.35.0'
-import { getSanitizedUrlString, parseUrl } from 'https://esm.sh/@sentry/utils@^8.35.0'
+} from 'https://esm.sh/@sentry/core@^8.37.1'
+import * as Sentry from 'https://esm.sh/@sentry/deno@^8.37.1'
+import type { Client, IntegrationFn, SpanAttributes } from 'https://esm.sh/@sentry/types@^8.37.1'
+import { getSanitizedUrlString, parseUrl } from 'https://esm.sh/@sentry/utils@^8.37.1'
 
 type RawHandler = (request: Request, info: Deno.ServeHandlerInfo) => Response | Promise<Response>