easy-static-server
is an HTTP file server, or as is it describes itself: an easy server for static files
.
Observation:
- Virtually zero downloads, so no considerable impact.
- It was last published 6 years ago
Resources:
- Project's GitHub source code: https://github.com/cunjieliu/easyServer
- Project's npm package: https://www.npmjs.com/package/easy-static-server
This file server library is vulnerable to Path Traversal attacks due to
no input sanitization or other checks and sandboxes are employed to the
req.url
user input that is passed to the server code.
Line 27 in index.js
, as shown below, joins the root
path of the
public directory with that of the path requested to access on the server
yet fails to resolve the path for any directory traversals and implement
security checks for the root directory bounds.
index.js (of easy-static-server@0.1.1):
var file = path.join(root, url.parse(req.url).pathname);
console.info(Date() + ": GET file:" + file);
fs.exists(file, function(exists){
This vulnerability should probably be classified as a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
- Install the latest version of
easy-static-server
(npm install --save easy-static-server@0.1.1
) - Make sure you have a
public/
directory with files in it - Have an
server.js
file which uses this package API to serve files (see contents below) - Run the server
node server.js
- Confirm the server started on the default port of 3000
- Send a request for files outside the static directory and confirm it is successful to employ a path traversal attack:
curl --path-as-is "http://localhost:3000/../package.json
and observe the contents of the file returned back in the response
.
├── public
│ └── index.html
|── server.js
└── package.json
server.js:
const server = require('easy-static-server');
server('./public');
Liran Tal