Created
August 24, 2016 21:49
-
-
Save amejiarosario/53afae82e18db30dadc9bc39035778e5 to your computer and use it in GitHub Desktop.
Node.js quick file server (static files over HTTP) using es6+
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const http = require('http'); | |
| const url = require('url'); | |
| const fs = require('fs'); | |
| const path = require('path'); | |
| const port = process.argv[2] || 9000; | |
| http.createServer(function (req, res) { | |
| console.log(`${req.method} ${req.url}`); | |
| // parse URL | |
| const parsedUrl = url.parse(req.url); | |
| // extract URL path | |
| let pathname = `.${parsedUrl.pathname}`; | |
| // based on the URL path, extract the file extention. e.g. .js, .doc, ... | |
| const ext = path.parse(pathname).ext; | |
| // maps file extention to MIME typere | |
| const map = { | |
| '.ico': 'image/x-icon', | |
| '.html': 'text/html', | |
| '.js': 'text/javascript', | |
| '.json': 'application/json', | |
| '.css': 'text/css', | |
| '.png': 'image/png', | |
| '.jpg': 'image/jpeg', | |
| '.wav': 'audio/wav', | |
| '.mp3': 'audio/mpeg', | |
| '.svg': 'image/svg+xml', | |
| '.pdf': 'application/pdf', | |
| '.doc': 'application/msword' | |
| }; | |
| fs.exists(pathname, function (exist) { | |
| if(!exist) { | |
| // if the file is not found, return 404 | |
| res.statusCode = 404; | |
| res.end(`File ${pathname} not found!`); | |
| return; | |
| } | |
| // if is a directory search for index file matching the extention | |
| if (fs.statSync(pathname).isDirectory()) pathname += '/index' + ext; | |
| // read file from file system | |
| fs.readFile(pathname, function(err, data){ | |
| if(err){ | |
| res.statusCode = 500; | |
| res.end(`Error getting the file: ${err}.`); | |
| } else { | |
| // if the file is found, set Content-type and send data | |
| res.setHeader('Content-type', map[ext] || 'text/plain' ); | |
| res.end(data); | |
| } | |
| }); | |
| }); | |
| }).listen(parseInt(port)); | |
| console.log(`Server listening on port ${port}`); |
pathname = pathname.replace(/^(\.)+/, '.');
No built in 304?
python -mSimpleHTTPServer
Thanks for sharing your gist. I used your code and transformed it using ESM and async/await:
https://gist.github.com/stif/f063d2807556d18a786369425758cbc4
(Btw the "new URL (..)" constructor takes care of sanitize the URL from "../../etc/passwd" attacks, no need to use normalize/regex/whatever)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey. I've been playing with this code, and I really really like it, but there is one change I think might be super important for security reasons.
If, at any point, a user converts the pathname to something more file readable (for instance, changing %20 to spaces), then a hack becomes possible.
If someone requests something like
http://localhost:8528/%20./get_me.html, the path name becomes../get_me.html, and they can get root access.To fix this, you can make it so the max amount of periods at the start of a filename is 1