NodeGoat
NodeGoat copied to clipboard
Fix path traversal vulnerability
The first commit moves the tutorial routes out of routes/index.js
and into a separate router. This is to avoid cluttering the top-level route setup with the tutorial routing code. The tutorial is effectively a microsite alongside the main application, so it seems reasonable to split it out like this.
The second commit replaces the /tutorial/:page
route with individual routes for each page.
Currently the set of allowed pages is just listed explicitly. I considered generating the page list from the filesystem or using HenrikJoreteg/semi-static, but that would require moving the templates around to avoid serving the layout template.
Fixes #232