bad-example.com
demos for spacedust
whatever sketchy whatever
+2
-1
+2
-1
server/index.js
+2
-1
server/index.js
···
183
183
}
184
184
};
185
185
186
+
// never EVER allow user-controllable input into fname (or just fix the path joining)
186
187
const handleFile = (fname, ftype) => async (req, res, replace = {}) => {
187
188
let content
188
189
try {
189
-
content = await fs.promises.readFile(import.meta.dirname + '/web-content/' + fname);
190
+
content = await fs.promises.readFile(`./web-content/${fname}`); // DANGERDANGER
190
191
content = content.toString();
191
192
} catch (err) {
192
193
console.error(err);