Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security defect in preview-docs package which allows for directory traversal and download of server files #348

Closed
edkelly-ovo opened this issue Aug 26, 2021 · 3 comments
Closed

Security defect in preview-docs package which allows for directory traversal and download of server files #348

edkelly-ovo opened this issue Aug 26, 2021 · 3 comments

Comments

@edkelly-ovo
Copy link
Contributor

Describe the bug
The file packages/cli/src/commands/preview-docs/preview-server/preview-server.ts contains a security defect that allows directory traversal of the complete file path on a server and the download of files via query parameters on the request URI.

To Reproduce
http://localhost:8080/jsp/help-sb-download.jsp?sbFileName=../../../../.redocly.yaml
http://localhost:8080/jsp/help-sb-download.jsp?sbFileName=../../{expand as needed}/etc/passwd

Expected behavior
Query parameters should be trimmed from the request URL

Logs
N/A

OpenAPI definition
N/A

openapi-cli Version(s)
1.0.0-beta.55

Node.js Version(s)
15.5.0

Additional context
PR with fix raised at #347
@adamaltman
Copy link
Member

Was accidentally not marked as closed by #347

@dwisiswant0
Copy link

Hi, @adamaltman. I think you should publish an advisory for this.

@RomanHotsiy
Copy link
Member

Published it: GHSA-q324-q795-2q5p

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@adamaltman @RomanHotsiy @dwisiswant0 @edkelly-ovo