Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Fix for Path Traversal - huntr.dev #275

Open
wants to merge 15 commits into
base: master
Choose a base branch
from

Conversation

huntr-helper
Copy link

@huntr-helper huntr-helper commented Aug 26, 2020

https://huntr.dev/users/Mik317 has fixed the Path Traversal vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/superstatic/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-superstatic

⚙️ Description *

The superstatic server was vulnerable against a path traversal issue which occurred because symlink files where showed, leading to dangerous scenario which could be exploitable.

💻 Technical Description *

In order to avoid the issue, I added the possibility to simply check if the symlink option flag has been set when starting the server. If symlink flag is passed when invoking the superstatic command, the symlinks are showed and fetched successfully, whereas when symlink flag is missed, it's showed a 404 error.

The added flag makes possible switching really simply between the 2 options, and I added a bit of doc in the README to be sure people aware of the options it-self and risks.

Finally, the default value of the symlink flag is false (security reason, shares the same concept of other webserver like Nginx) and if devs are using the lib version, it's necessary just switching the default value to true in case they want to serve also symlink files.

🐛 Proof of Concept (PoC) *

  1. Install
  2. Go on the bin dir
  3. ./server
  4. Create a symlink like ln -s /etc/passwd test
  5. Go on http://localhost:3474/test
  6. Content of /etc/passwd showed

Screenshot from 2020-08-20 15-01-04

🔥 Proof of Fix (PoF) *

Same steps with fixed version

Using the symlink flag:
Screenshot from 2020-08-22 00-44-07

Without symlink flag:
Screenshot from 2020-08-22 00-44-19

👍 User Acceptance Testing (UAT)

Seems all OK 👍

Submitted on behalf of @Mik317

@googlebot
Copy link

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.


What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

1 similar comment
@googlebot
Copy link

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.


What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@JamieSlome
Copy link

@googlebot I signed it!

2 similar comments
@huntr-helper
Copy link
Author

@googlebot I signed it!

@Mik317
Copy link

Mik317 commented Aug 26, 2020

@googlebot I signed it!

@JamieSlome
Copy link

@mbleigh - could we have some assistance? All three of the contributors have signed the CLA and the bot doesn't seem to be responsive?

Cheers! 🍰

@googlebot
Copy link

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

1 similar comment
@googlebot
Copy link

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

@JamieSlome
Copy link

@mbleigh - ignore my previous comment.

I believe pushing a new commit to the pull request forced the webhooks to re-assess commit tagged e-mails.

Thanks! 🍰

Wrongly closed: Fixed path traversal vulnerability when symlinking directories
@googlebot
Copy link

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

1 similar comment
@google-cla
Copy link

google-cla bot commented Oct 9, 2020

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants