lite-dev-server
is an HTTP file server meant for local development, or as is it describes itself: This is http file server for develpment. This server supports livereload function and proxy function for your api server.
.
Observation:
- Virtually zero downloads, so no considerable impact.
- It was last published 3 years ago
Resources:
- Project's GitHub source code: https://github.com/shadowwzw/lite-dev-server
- Project's npm package: https://www.npmjs.com/package/lite-dev-server
This file server library is vulnerable to Path Traversal attacks due to
no input sanitization or other checks and protections employed to the
req.url
user input that is passed to the server code.
Line 134 of src/server.js
, the isFile()
helper is uses the request
path directly as follows:
await isFile(`${folder}${req.url}`);
and later served to users in line 138:
await giveFile(res, `${folder}${req.url}`, ext);
The isFile()
function itself doesn't implement any security checks
for the public folder as a boundary, but rather just checkes for
existence of the file path:
src/helpers.js:
export const isFile = async path => {
const stats = await fsp.stat(path);
if(!stats.isFile()) return new Promise.reject(Error('this is not file'));
};
This vulnerability should probably be classified as a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
- Install the latest version of
lite-dev-server
(npm install --save lite-dev-server@3.2.7
) - Make sure you have a
public/
directory with files in it - Have an
server.js
file which uses this package API to serve files (see contents below) - Run the server
node server.js
- Confirm the server started on the default port of 3000
- Send a request for files outside the static directory and confirm it is successful to employ a path traversal attack:
curl --path-as-is "http://localhost:3000/../package.json
and observe the contents of the file returned back in the response
.
├── public
│ └── index.html
|── server.js
└── package.json
server.js:
const liteDevServer = require("lite-dev-server");
liteDevServer( { folder: "public", watchFolders: ["public"]} );
Liran Tal