serve-lite
descibres itself as: a lightweight http-server for static file-based web development
.
Observation:
- Virtually zero downloads, so no considerable impact.
- It was last published 6 months ago
Resources:
- Project's GitHub source code: https://github.com/beenotung/serve-lite
- Project's npm package: https://www.npmjs.com/package/serve-lite
This file server library is vulnerable to Path Traversal attacks due to
no input sanitization or other checks and protections employed to the
req.url
passed as-is to path.join()
Line 111-114 of server.js
:
switch (req.method) {
case 'GET': {
let filename = decodeURIComponent(req.url).replace(/^\//, './')
let file = path.join(root, filename)
and later served to users in lines 140-145:
let ext = path.extname(filename)
let contentType = contentTypes[ext]
if (contentType) {
res.setHeader('Content-Type', contentType)
}
fs.createReadStream(file).pipe(res)
This vulnerability should probably be classified as a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
- Install the latest version of
serve-lite
(npm install --save serve-lite@1.1.0
) - Make sure you have a
public/
directory with files in it - Run the server
node server.js 3000 public/
- Send a request for files outside the static directory and confirm it is successful to employ a path traversal attack:
curl --path-as-is "http://localhost:3000/../package.json
and observe the contents of the file returned back in the response
.
├── public
│ └── index.html
|── server.js
└── package.json
Liran Tal
Thanks for the detail writing.
The vulnerability is fixed in serve-lite@1.1.1
Patching commit: beenotung/serve-lite@ba3efb7