New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Fix for Path Traversal - huntr.dev #275
base: master
Are you sure you want to change the base?
Conversation
[FIX] Path traversal through Symlink files
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 馃摑 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
鈩癸笍 Googlers: Go here for more info. |
1 similar comment
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 馃摑 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
鈩癸笍 Googlers: Go here for more info. |
@googlebot I signed it! |
@mbleigh - could we have some assistance? All three of the contributors have signed the CLA and the bot doesn't seem to be responsive? Cheers! 馃嵃 |
CLAs look good, thanks! 鈩癸笍 Googlers: Go here for more info. |
1 similar comment
CLAs look good, thanks! 鈩癸笍 Googlers: Go here for more info. |
@mbleigh - ignore my previous comment. I believe pushing a new commit to the pull request forced the webhooks to re-assess commit tagged e-mails. Thanks! 馃嵃 |
Wrongly closed: Fixed path traversal vulnerability when symlinking directories
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the 鈩癸笍 Googlers: Go here for more info. |
1 similar comment
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the 鈩癸笍 Googlers: Go here for more info. |
https://huntr.dev/users/Mik317 has fixed the Path Traversal vulnerability 馃敤. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 馃挼. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/superstatic/1/README.md
User Comments:
馃搳 Metadata *
Bounty URL: https://www.huntr.dev/bounties/1-npm-superstatic
鈿欙笍 Description *
The
superstatic
server was vulnerable against apath traversal
issue which occurred becausesymlink
files where showed, leading todangerous scenario
which could be exploitable.馃捇 Technical Description *
In order to avoid the issue, I added the possibility to simply check if the
symlink
option flag has been set when starting the server. Ifsymlink
flag is passed when invoking thesuperstatic
command, the symlinks are showed and fetched successfully, whereas whensymlink
flag is missed, it's showed a404
error.The added
flag
makes possible switching really simply between the 2 options, and I added a bit of doc in theREADME
to be sure people aware of the options it-self and risks.Finally, the
default
value of thesymlink
flag isfalse
(security reason, shares the same concept of other webserver likeNginx
) and if devs are using thelib version
, it's necessary just switching thedefault
value totrue
in case they want to serve alsosymlink
files.馃悰 Proof of Concept (PoC) *
bin
dir./server
symlink
likeln -s /etc/passwd test
/etc/passwd
showed馃敟 Proof of Fix (PoF) *
Same steps with fixed version
Using the
symlink
flag:Without
symlink
flag:馃憤 User Acceptance Testing (UAT)
Seems all OK 馃憤
Submitted on behalf of @Mik317