node-server icon indicating copy to clipboard operation
node-server copied to clipboard

Published 20 hours ago verified publisher icon honojs

support absolute root path for serveStatic

Open miyamonz opened this issue 1 year ago • 13 comments

Currently, serveStatic's options.root doesn't support absolute paths. It appears that the getFilePath utility function isn't designed for this case. I've created a small wrapper to address this issue.

miyamonz avatar Aug 01 '23 06:08 miyamonz

HI @miyamonz !

Thank you for the PR. This is a good feature. I've leaved some comments. Please check them!

yusukebe avatar Aug 04 '23 04:08 yusukebe

@miyamonz @yusukebe Spent a solid 30 minutes on this bug. ~~Do you mind if I continue this PR?~~ Seems like only the only comment is for a function name. Would love to see this land soon.

lilnasy avatar Dec 08 '23 19:12 lilnasy

I've reconsidered this feature. Allowing absolute paths could potentially lead to a traversal attack vulnerability.

If we decide to proceed, we need to address this risk seriously. I would like to hear opinions about this potential security issue.

yusukebe avatar Dec 09 '23 08:12 yusukebe

I'm not sure I see the concern. It's common enough to offer absolute path as root, and it's done by disallowing "/../" in the path.

For example, this is what send uses:

https://github.com/pillarjs/send/blob/b69cbb3dc4c09c37917d08a4c13fcd1bac97ade5/index.js#L63

Could you elaborate where a threat could come from?

lilnasy avatar Dec 09 '23 18:12 lilnasy

In Hono, we also do not allow /../ in this line. So, as you mentioned, we might not need to consider it as a risk.

https://github.com/honojs/hono/blob/main/src/utils/filepath.ts#L9

yusukebe avatar Dec 10 '23 13:12 yusukebe

That's reassuring. What do you think is next to progress this PR?

lilnasy avatar Dec 11 '23 19:12 lilnasy

Any progress on this PR? It's very useful in some cases.

yuyinws avatar Feb 18 '24 07:02 yuyinws

Any progress on this PR? It's very useful in some cases.

Workaround: https://github.com/honojs/hono/pull/3108#issuecomment-2225636805

schettn avatar Jul 12 '24 13:07 schettn

I've just stumbled upon this issue. I think one way to move this forward is to add a field like allowAbsoluteRoot: true to ServeStaticOptions, so that existing users of serveStatic are not affected by potential security issues.

fumieval avatar Aug 22 '24 02:08 fumieval

@yusukebe

Why not just introduce another param?

serveStatic({ root: './' })) serveStatic({ absoluteRoot: '/' }))

  • Add some checks to prevent both using both. (Typescript unions / runtime checks)

And then merge them at some point when hono has a major.

schettn avatar Aug 29 '24 07:08 schettn

@fumieval @schettn

I like allowAbsoluteRoot: true option. Letting users choose the option is a good idea.

yusukebe avatar Aug 29 '24 11:08 yusukebe

Should this be implemented in import { getFilePath } from 'hono/utils/filepath'?

Then just pass allowAbsoluteRoot to getFilePath instead of implementing getFilePathforAbsRoot here.

schettn avatar Aug 29 '24 12:08 schettn

Hey! I'll work on this matter from now.

yusukebe avatar Sep 15 '24 07:09 yusukebe