From 5ce4f432cd93dc28907d48d7b09353a8dd53062d Mon Sep 17 00:00:00 2001 From: Arunoda Susiripala Date: Fri, 28 Jul 2017 18:33:39 +0530 Subject: [PATCH] Make sure the /static working properly. (#2675) --- server/index.js | 12 ++++++++++-- test/integration/production/static/data/item.txt | 1 + test/integration/production/test/index.test.js | 11 +++++++++++ 3 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 test/integration/production/static/data/item.txt diff --git a/server/index.js b/server/index.js index 82f54d69..513a87e1 100644 --- a/server/index.js +++ b/server/index.js @@ -171,12 +171,20 @@ export default class Server { await renderScript(req, res, page, this.renderOpts) }, - '/_next/:path?': async (req, res, params) => { + // It's very important keep this route's param optional. + // (but it should support as many as params, seperated by '/') + // Othewise this will lead to a pretty simple DOS attack. + // See more: https://github.com/zeit/next.js/issues/2617 + '/_next/:path*': async (req, res, params) => { const p = join(__dirname, '..', 'client', ...(params.path || [])) await this.serveStatic(req, res, p) }, - '/static/:path?': async (req, res, params) => { + // It's very important keep this route's param optional. + // (but it should support as many as params, seperated by '/') + // Othewise this will lead to a pretty simple DOS attack. + // See more: https://github.com/zeit/next.js/issues/2617 + '/static/:path*': async (req, res, params) => { const p = join(this.dir, 'static', ...(params.path || [])) await this.serveStatic(req, res, p) } diff --git a/test/integration/production/static/data/item.txt b/test/integration/production/static/data/item.txt new file mode 100644 index 00000000..a7130742 --- /dev/null +++ b/test/integration/production/static/data/item.txt @@ -0,0 +1 @@ +item \ No newline at end of file diff --git a/test/integration/production/test/index.test.js b/test/integration/production/test/index.test.js index 40eb47a1..5d3a715f 100644 --- a/test/integration/production/test/index.test.js +++ b/test/integration/production/test/index.test.js @@ -77,4 +77,15 @@ describe('Production Usage', () => { browser.close() }) }) + + describe('Misc', () => { + it('should allow to access /static/ and /_next/', async () => { + // This is a test case which prevent the following issue happening again. + // See: https://github.com/zeit/next.js/issues/2617 + await renderViaHTTP(appPort, '/_next/') + await renderViaHTTP(appPort, '/static/') + const data = await renderViaHTTP(appPort, '/static/data/item.txt') + expect(data).toBe('item') + }) + }) })