NodeGoat
NodeGoat copied to clipboard
Unexpected path traversal vulnerability
Looking at NodeGoat's results on LGTM.com, alongside the expected vulnerabilities there are some more alerts. Most are minor issues, but one is for this unexpected vulnerability:
https://lgtm.com/projects/g/OWASP/NodeGoat?mode=list&tag=external%2Fcwe%2Fcwe-022
The /tutorial/:page
route passes the user-controlled page
parameter directly to res.render
, which is warned against in the express documentation:
(http://expressjs.com/en/4x/api.html#res.render) NOTE: The view argument performs file system operations like reading a file from disk and evaluating Node.js modules, and as so for security reasons should not contain input from the end-user.
For example, requesting /tutorial/layout
renders the header and sidebar with no content. That's not too bad, but it's also possible to use relative paths to return any ".html" file on the server. An attacker could also trick express into trying to load any installed node module as a view engine.