superstatic icon indicating copy to clipboard operation
superstatic copied to clipboard
verified publisher icon firebase

Security Fix for Path Traversal - huntr.dev

Open huntr-helper opened this issue 5 years ago â€ĸ 11 comments

https://huntr.dev/users/Mik317 has fixed the Path Traversal vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program đŸ’ĩ. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/superstatic/pull/2 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/superstatic/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-superstatic

⚙ī¸ Description *

The superstatic server was vulnerable against a path traversal issue which occurred because symlink files where showed, leading to dangerous scenario which could be exploitable.

đŸ’ģ Technical Description *

In order to avoid the issue, I added the possibility to simply check if the symlink option flag has been set when starting the server. If symlink flag is passed when invoking the superstatic command, the symlinks are showed and fetched successfully, whereas when symlink flag is missed, it's showed a 404 error.

The added flag makes possible switching really simply between the 2 options, and I added a bit of doc in the README to be sure people aware of the options it-self and risks.

Finally, the default value of the symlink flag is false (security reason, shares the same concept of other webserver like Nginx) and if devs are using the lib version, it's necessary just switching the default value to true in case they want to serve also symlink files.

🐛 Proof of Concept (PoC) *

  1. Install
  2. Go on the bin dir
  3. ./server
  4. Create a symlink like ln -s /etc/passwd test
  5. Go on http://localhost:3474/test
  6. Content of /etc/passwd showed

Screenshot from 2020-08-20 15-01-04

đŸ”Ĩ Proof of Fix (PoF) *

Same steps with fixed version

Using the symlink flag: Screenshot from 2020-08-22 00-44-07

Without symlink flag: Screenshot from 2020-08-22 00-44-19

👍 User Acceptance Testing (UAT)

Seems all OK :+1:

Submitted on behalf of @Mik317

huntr-helper avatar Aug 26 '20 09:08 huntr-helper

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

:memo: Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹī¸ Googlers: Go here for more info.

googlebot avatar Aug 26 '20 09:08 googlebot

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

:memo: Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹī¸ Googlers: Go here for more info.

googlebot avatar Aug 26 '20 09:08 googlebot

@googlebot I signed it!

JamieSlome avatar Aug 26 '20 14:08 JamieSlome

@googlebot I signed it!

huntr-helper avatar Aug 26 '20 14:08 huntr-helper

@googlebot I signed it!

Mik317 avatar Aug 26 '20 14:08 Mik317

@mbleigh - could we have some assistance? All three of the contributors have signed the CLA and the bot doesn't seem to be responsive?

Cheers! 🍰

JamieSlome avatar Aug 26 '20 14:08 JamieSlome

CLAs look good, thanks!

ℹī¸ Googlers: Go here for more info.

googlebot avatar Aug 27 '20 09:08 googlebot

CLAs look good, thanks!

ℹī¸ Googlers: Go here for more info.

googlebot avatar Aug 27 '20 09:08 googlebot

@mbleigh - ignore my previous comment.

I believe pushing a new commit to the pull request forced the webhooks to re-assess commit tagged e-mails.

Thanks! 🍰

JamieSlome avatar Aug 27 '20 09:08 JamieSlome

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹī¸ Googlers: Go here for more info.

googlebot avatar Oct 09 '20 15:10 googlebot

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹī¸ Googlers: Go here for more info.

google-cla[bot] avatar Oct 09 '20 15:10 google-cla[bot]