Conversation
mateacademy-ai-mentor
left a comment
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
Good work on setting up the server and handling the basic file-serving logic. However, changes are needed because a key requirement is not met.
Your server does not correctly handle requests for /file and /file/. According to the requirements, both of these paths should serve the public/index.html file, but they currently lead to an error. Please adjust your logic to treat these paths as a request for index.html.
Also, the way you determine the Content-Type is not very reliable. Using split('.') to get the file extension can fail for filenames with multiple dots. A more robust method is to use path.extname() and map the extension to a full MIME type, like '.css' to 'text/css'.
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Important
Fix the issues, commit the changes, and then re-request my review using the Re-request review button2 in the Reviewers tab.
Tip
If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag3.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.
Caution
Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.
Footnotes
src/createServer.js
Outdated
| return; | ||
| } | ||
|
|
||
| const relativePath = filePath.slice('/file/'.length); |
There was a problem hiding this comment.
The requirements state that both /file and /file/ should serve public/index.html, but this is not handled correctly. The check on line 34 will reject /file, and requests for /file/ will result in an empty relativePath, which causes an error when reading the file. You need to adjust the logic to correctly handle these two specific paths and default the filename to index.html.
src/createServer.js
Outdated
| } | ||
|
|
||
| res.statusCode = 200; | ||
| res.setHeader('Content-Type', `text/${format}`); |
There was a problem hiding this comment.
Setting the Content-Type this way has two potential issues. First, getting the file extension with split('.') (on line 16) is not robust; it can fail for filenames with multiple dots or no extension. Using path.extname() is a safer alternative. Second, hardcoding the type as text/... will not work for non-text files like images. A better approach is to create a small map of extensions to their full MIME types (e.g., { '.html': 'text/html', '.css': 'text/css' }).
mateacademy-ai-mentor
left a comment
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
Good progress on the content-type handling! However, some critical requirements are not yet met, so I'm requesting a few changes.
-
Handling for
/fileand/file/is incorrect. The server must returnpublic/index.htmlfor both of these paths. Currently,/filereturns a hint message, and a request to/file/results in a 404 error because it tries to read a directory. Please adjust your logic to treat both of these cases as a request forindex.html. -
The security check for path traversal is insufficient. Your check for
..can be bypassed with URL-encoded characters (e.g.,%2e%2e). A more secure method is to create the full file path, normalize it usingpath.resolve()orpath.normalize(), and then check if the resulting path is still inside yourpublicdirectory before serving the file.
Once these key issues are addressed, your server will be much more robust and secure.
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Important
Fix the issues, commit the changes, and then re-request my review using the Re-request review button2 in the Reviewers tab.
Tip
If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag3.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.
Caution
Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.
Footnotes
| const normilizedURL = new url.URL(req.url, `http://${req.headers.host}`); | ||
| const filePath = normilizedURL.pathname; | ||
|
|
||
| if (req.url === '/app.js' || req.url.includes('/file/..')) { |
There was a problem hiding this comment.
This check for path traversal is a good idea, but it can be bypassed using URL-encoded characters (e.g., %2e%2e for ..). A more secure method is to create the full file path, normalize it, and then check if it's still inside your publicDir before attempting to read the file. This ensures you never access files outside the intended directory.
| return; | ||
| } | ||
|
|
||
| if (filePath === '/file' || !filePath.startsWith('/file/')) { |
There was a problem hiding this comment.
According to the requirements, a request to /file should serve public/index.html. This condition incorrectly treats /file the same as other invalid paths and returns a hint message instead. You'll need to adjust the logic to handle the /file case specifically.
src/createServer.js
Outdated
| return; | ||
| } | ||
|
|
||
| const relativePath = filePath.slice('/file/'.length); |
There was a problem hiding this comment.
When the request URL is /file/, relativePath becomes an empty string. Later, fs.readFile fails when trying to read a directory, resulting in a 404 error. The requirement is to serve index.html in this case. You should add logic to handle an empty relativePath by defaulting it to index.html.
mateacademy-ai-mentor
left a comment
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
I'm approving this submission as an educational override to help you keep moving forward. Great job fixing the /file/ path to correctly serve index.html!
There are two important items left to address:
- Security Vulnerability: The current check for
..in the path can be bypassed using URL encoding (e.g.,%2e%2e). A more secure method is to resolve the absolute file path and then confirm it's still inside thepublicdirectory before serving it. - Endpoint Handling: A request to
/file(without the trailing slash) should also servepublic/index.html, but it's currently returning the hint message.
You're very close to a complete and secure solution. Keep up the excellent work!
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Footnotes
| const normilizedURL = new url.URL(req.url, `http://${req.headers.host}`); | ||
| const filePath = normilizedURL.pathname; | ||
|
|
||
| if (req.url === '/app.js' || req.url.includes('/file/..')) { |
There was a problem hiding this comment.
This check is a good first step, but it's not secure enough to prevent all path traversal attacks. A request with URL-encoded characters like /file/%2e%2e/some_file could bypass this includes() check.
As mentioned in the previous review, a more robust way to handle this is to:
- Construct the full, absolute path to the requested file.
- Normalize this path using
path.resolve(). - Check if the normalized path still starts with the absolute path of your
publicDir.
| return; | ||
| } | ||
|
|
||
| if (filePath === '/file' || !filePath.startsWith('/file/')) { |
There was a problem hiding this comment.
This condition correctly handles cases that don't start with /file/, but it incorrectly handles the /file case. According to the requirements, a request to /file should serve public/index.html, just like a request to /file/. Currently, it's returning the hint message.
2 participants
No description provided.