Potential path traversal bug due to imcomplete path sanitization

[xiaofen9]

Hi,

We would like to report a potential path traversal bug: When express-static handle user input, it fails to properly sanitize user input, so that it is possible attackers can still access path out of desired scope in some conditions.

e.g., we can demonstrate the possible attack using the code provided in the project homepage

const express = require('express');
const serve   = require('express-static');
 
const app = express();
 
app.use(serve(__dirname + '/public'));
 
const server = app.listen(3000, function(){
  console.log('server is running at %s', server.address().port);
});

In the above code, if you send
curl --path-as-is "http://localhost:3000/../1.txt This illegal request will be denied as expected
however, if you send
curl --path-as-is "http://localhost:3000/../public_other/1.txt This illegal request will be processed . This is because the path sanitization logic in express-static only checks if the path starts with a prefix. In this way, if there are any other dictionaries under the same prefix, they are also unexpectedly exposed. This bug is in fact similar to this known vulnerability (https://gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc).

    if(filename.indexOf(root) !== 0) return next();

Please consider a fix. Thanks!

[n0n3br]

@song940, express branch is staled. When I fork the project to apply the fix, the branch won't appear on my fork.
Can you make it active again ? I think is the only way to submit a fix to this issue.