You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We would like to report a potential path traversal bug: When express-static handle user input, it fails to properly sanitize user input, so that it is possible attackers can still access path out of desired scope in some conditions.
e.g., we can demonstrate the possible attack using the code provided in the project homepage
const express = require('express');
const serve = require('express-static');
const app = express();
app.use(serve(__dirname + '/public'));
const server = app.listen(3000, function(){
console.log('server is running at %s', server.address().port);
});
In the above code, if you send curl --path-as-is "http://localhost:3000/../1.txt This illegal request will be denied as expected
however, if you send curl --path-as-is "http://localhost:3000/../public_other/1.txt This illegal request will be processed . This is because the path sanitization logic in express-static only checks if the path starts with a prefix. In this way, if there are any other dictionaries under the same prefix, they are also unexpectedly exposed. This bug is in fact similar to this known vulnerability (https://gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc).
if(filename.indexOf(root) !== 0) return next();
Please consider a fix. Thanks!
The text was updated successfully, but these errors were encountered:
@song940, express branch is staled. When I fork the project to apply the fix, the branch won't appear on my fork.
Can you make it active again ? I think is the only way to submit a fix to this issue.
Hi,
We would like to report a potential path traversal bug: When
express-static
handle user input, it fails to properly sanitize user input, so that it is possible attackers can still access path out of desired scope in some conditions.e.g., we can demonstrate the possible attack using the code provided in the project homepage
In the above code, if you send
curl --path-as-is "http://localhost:3000/../1.txt
This illegal request will be denied as expectedhowever, if you send
curl --path-as-is "http://localhost:3000/../public_other/1.txt
This illegal request will be processed . This is because the path sanitization logic inexpress-static
only checks if the path starts with a prefix. In this way, if there are any other dictionaries under the same prefix, they are also unexpectedly exposed. This bug is in fact similar to this known vulnerability (https://gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc).Please consider a fix. Thanks!
The text was updated successfully, but these errors were encountered: