Conversation
mateacademy-ai-mentor
left a comment
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
While your server implementation is off to a good start, some changes are needed to address a couple of failing tests that were detected.
- Path Traversal Vulnerability: The test
should return 400 for traversal pathsis failing. Your server isn't correctly blocking requests that use../to access files outside thepublicdirectory. Please add logic to validate the requested path and return a400 Bad Requeststatus when a traversal attempt is detected. - Incorrect
Content-TypeHeader: For routes that do not start with/file/, the server should respond with aContent-Typeoftext/plain. The tests show it's currently sendingtext/html. You can fix this by explicitly setting the correct header before sending the response, for example:res.setHeader('Content-Type', 'text/plain');.
Addressing these two points will get your tests to pass. Keep up the great work!
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Important
Fix the issues, commit the changes, and then re-request my review using the Re-request review button2 in the Reviewers tab.
Tip
If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag3.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.
Caution
Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.
Footnotes
mateacademy-ai-mentor
left a comment
mateacademy-ai-mentor
left a comment
There was a problem hiding this comment.
Review Summary
Excellent work on the server implementation! You've correctly handled most of the routing and file-serving logic. However, changes are needed because a critical security test is failing. The server does not correctly block directory traversal attempts.
A request like /file/../app.js should be identified as a malicious attempt and rejected with a 400 Bad Request status code. Currently, your server is not returning this error, which creates a security vulnerability.
To fix this, you need to resolve the absolute path for the requested file and check if it is still within the public directory. If the resolved path points to a location outside of public, you should end the request and send the 400 status. You're very close to finishing!
✨ Please rate this review in the Platform's notification center1. I will be grateful for your feedback! ✨
Important
Fix the issues, commit the changes, and then re-request my review using the Re-request review button2 in the Reviewers tab.
Tip
If you have any comments about this review, please leave a message in the Add a comment section below and mention me with the @mateacademy-ai-mentor tag3.
I will read your message during my next review of your pull request. Please do not reply directly to my comments, as that feature is not supported yet.
Caution
Do not close the pull request until the review is complete. Closing it early can lead to unexpected behavior and disrupt the review process.
Footnotes
3 participants
No description provided.