Security Fix for Path Traversal - huntr.dev

[huntr-helper]

https://huntr.dev/users/Mik317 has fixed the Path Traversal vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/superstatic/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-superstatic

⚙️ Description *

The superstatic server was vulnerable against a path traversal issue which occurred because symlink files where showed, leading to dangerous scenario which could be exploitable.

💻 Technical Description *

In order to avoid the issue, I added the possibility to simply check if the symlink option flag has been set when starting the server. If symlink flag is passed when invoking the superstatic command, the symlinks are showed and fetched successfully, whereas when symlink flag is missed, it's showed a 404 error.

The added flag makes possible switching really simply between the 2 options, and I added a bit of doc in the README to be sure people aware of the options it-self and risks.

Finally, the default value of the symlink flag is false (security reason, shares the same concept of other webserver like Nginx) and if devs are using the lib version, it's necessary just switching the default value to true in case they want to serve also symlink files.

🐛 Proof of Concept (PoC) *

1. Install
2. Go on the bin dir
3. ./server
4. Create a symlink like ln -s /etc/passwd test
5. Go on http://localhost:3474/test
6. Content of /etc/passwd showed

🔥 Proof of Fix (PoF) *

Same steps with fixed version

Using the symlink flag:

Without symlink flag:

👍 User Acceptance Testing (UAT)

Seems all OK 👍

Submitted on behalf of @Mik317

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[JamieSlome]

@googlebot I signed it!

[huntr-helper]

@googlebot I signed it!

[Mik317]

@googlebot I signed it!

[JamieSlome]

@mbleigh - could we have some assistance? All three of the contributors have signed the CLA and the bot doesn't seem to be responsive?

Cheers! 🍰

[googlebot]

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

[googlebot]

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

[JamieSlome]

@mbleigh - ignore my previous comment.

I believe pushing a new commit to the pull request forced the webhooks to re-assess commit tagged e-mails.

Thanks! 🍰

[googlebot]

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

[google-cla]

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.