[Bug] Can render specific files at any path outside the root dir

[21k]

• the code is at https://github.com/queckezz/koa-views/blob/master/src/index.js#L44

      if (isHtml(suffix) && !map) {
        return send(ctx, paths.rel, {
          root: path
        })
      } else {
        const engineName = map && map[suffix] ? map[suffix] : suffix
  
        const render = engineSource[engineName]
  
        if (!engineName || !render)
          return Promise.reject(
            new Error(`Engine not found for the ".${suffix}" file extension`)
          )
        return render(resolve(path, paths.rel), state).then(html => {
             ...
        })
      }

• If the file is html it uses send function, which is in package koa-send, https://github.com/koajs/send/blob/master/index.js#L81 which uses resolve-path to parse the rootPath and the relPath, in code https://github.com/pillarjs/resolve-path/blob/master/index.js#L82, it handles the path outside root case ,so it's safe.

  
  var UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/

// path outside root if (UP_PATH_REGEXP.test(normalize('.' + sep + path))) { throw createError(403) }

- If the file is other
the code is https://github.com/queckezz/koa-views/blob/master/src/index.js#L49
it uses map or consolidate, if map is not set, the render  will be  consolidate[file_ suffix], at last it uses **resolve**  in node **path** package to handle the rootPath and the relPath, there is no crontrol of  path outside root, the problem is here, thus if the render engine exists, such file can be rendered, for examples:

http://127.0.0.1:7000/doc/..%2F..%2F..%2F..%2Fnode_modules%2Fkoa-views%2Ftest%2Ffixtures%2Fbasic.ejs http://127.0.0.1:7000/doc?file=../../../../node_modules/koa-views/test/fixtures/basic.ejs

[int64ago]

Nice catch! I'll fix it later.

[int64ago]

Fixed