Skip to content

Instantly share code, notes, and snippets.

@lirantal
Last active May 2, 2023 20:32
Show Gist options
  • Save lirantal/9ccdfda0edcb95e36d07a04b0b6c2db0 to your computer and use it in GitHub Desktop.
Save lirantal/9ccdfda0edcb95e36d07a04b0b6c2db0 to your computer and use it in GitHub Desktop.
Path traversal vulnerability in serve-lite@1.1.0

Path traversal vulnerability in serve-lite@1.1.0

serve-lite descibres itself as: a lightweight http-server for static file-based web development.

Observation:

  • Virtually zero downloads, so no considerable impact.
  • It was last published 6 months ago

Resources:

Background on exploitation

This file server library is vulnerable to Path Traversal attacks due to no input sanitization or other checks and protections employed to the req.url passed as-is to path.join()

Line 111-114 of server.js:

      switch (req.method) {
        case 'GET': {
          let filename = decodeURIComponent(req.url).replace(/^\//, './')
          let file = path.join(root, filename)

and later served to users in lines 140-145:

          let ext = path.extname(filename)
          let contentType = contentTypes[ext]
          if (contentType) {
            res.setHeader('Content-Type', contentType)
          }
          fs.createReadStream(file).pipe(res)

This vulnerability should probably be classified as a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

Proof of Concept exploit

  1. Install the latest version of serve-lite (npm install --save serve-lite@1.1.0)
  2. Make sure you have a public/ directory with files in it
  3. Run the server node server.js 3000 public/
  4. Send a request for files outside the static directory and confirm it is successful to employ a path traversal attack: curl --path-as-is "http://localhost:3000/../package.json and observe the contents of the file returned back in the response
.
├── public
│   └── index.html
|── server.js
└── package.json

Author

Liran Tal

@beenotung
Copy link

Thanks for the detail writing.

The vulnerability is fixed in serve-lite@1.1.1

Patching commit: beenotung/serve-lite@ba3efb7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment