direct-img/direct-img.link
1
0
Fork 0
mirror of https://github.com/direct-img/direct-img.link.git synced 2026-03-17 11:11:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Reject literal dots and slashes in pathname

Browse Source
This commit is contained in:
multipleof4
2026-02-17 19:51:50 -08:00
parent a045461df4
commit f7232b61e6
1 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
functions/[[path]].js
View File

@@ -8,17 +8,19 @@ export async function onRequest(context) {
return env.ASSETS.fetch(request); return env.ASSETS.fetch(request);
} }
// Reject literal dots and slashes (bot probes like info.php or wp-admin/setup-config.php)
// We check the raw pathname (excluding leading slash and trailing slashes) to allow encoded dots (%2E) and slashes (%2F)
const rawQueryPart = url.pathname.slice(1).replace(/\/+$/, "");
if (rawQueryPart.includes(".") || rawQueryPart.includes("/")) {
const badReq = new Request(new URL("/bad.webp", url.origin));
return env.ASSETS.fetch(badReq);
}
const query = normalizeQuery(path); const query = normalizeQuery(path);
if (!query) { if (!query) {
return jsonResponse(400, { error: "Empty query" }); return jsonResponse(400, { error: "Empty query" });
} }
// Reject queries containing slashes (bot probes like wp-admin/setup-config.php)
if (query.includes("/")) {
const badReq = new Request(new URL("/bad.webp", url.origin));
return env.ASSETS.fetch(badReq);
}
// Max query length: 200 chars after normalization // Max query length: 200 chars after normalization
if (query.length > 200) { if (query.length > 200) {
return jsonResponse(400, { error: "Query too long (max 200 characters)" }); return jsonResponse(400, { error: "Query too long (max 200 characters)" });