lite-server icon indicating copy to clipboard operation
lite-server copied to clipboard

Published 20 hours ago verified publisher icon johnpapa

Server crashes on directory traversal attempt with invalid UTF-8 character

Open EvanKnowles opened this issue 8 years ago • 5 comments

Server crashes on directory traversal attempt with invalid UTF-8 character

A scheduled scan kicked off on our network and crashed my npm-lite server. Checking the logs, the crash was on a GET for /%80../%80../%80../%80../%80../%80../windows/win.ini

%80 is not a valid URL encoded character under UTF-8, which may be why it crashed.

Bug repro steps

  1. Launch server
  2. Attempt to navigate to /%80../%80../%80../%80../%80../%80../windows/win.ini
  3. Server crashes

Environment

  • lite-server version: 2.2.0
  • nodejs version: v4.4.5
  • npm version: 2.15.5
  • OS type/version: Win 7 Enterprise 64-bit

Server log:

[1] D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\connect-logger\lib\logger.js:15 [1] format = format.replace(/%url/g, "\x1b[90m" + (decodeURI((url.parse(req.url)).pathname)) + "\x1b[0m"); [1] ^ [1] [1] URIError: URI malformed [1] at decodeURI (native) [1] at parse (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\connect-logger\lib\logger.js:15:52) [1] at ServerResponse.res.end (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\connect-logger\lib\logger.js:41:17) [1] at Array.write (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\index.js:137:9) [1] at listener (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\node_modules\on-finished\index.js:169:15) [1] at onFinish (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\node_modules\on-finished\index.js:100:5) [1] at callback (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\node_modules\on-finished\node_modules\ee-first\index.js:55:10) [1] at IncomingMessage.onevent (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\node_modules\on-finished\node_modules\ee-first\index.js:93:5) [1] at emitNone (events.js:67:13) [1] at IncomingMessage.emit (events.js:166:7) [1]

EvanKnowles avatar Jun 06 '16 07:06 EvanKnowles

Ive ran into the same thing. It happens with any uri containing a "%" and ".." respectively.

Browser Output

Cannot GET /%j..

Server Output

   Local: http://localhost:3000
External: http://172.17.0.4:3000

      UI: http://localhost:3001

UI External: http://172.17.0.4:3001

[BS] Serving files from: ./ [BS] Watching files... 16.06.22 15:20:32 304 GET /index.html 16.06.22 15:20:45 304 GET /index.html /usr/lib/node_modules/lite-server/node_modules/connect-logger/lib/logger.js:15 format = format.replace(/%url/g, "\x1b[90m" + (decodeURI((url.parse(req.url)).pathname)) + "\x1b[0m"); ^

URIError: URI malformed at decodeURI (native) at parse (/usr/lib/node_modules/lite-server/node_modules/connect-logger/lib/logger.js:15:52) at ServerResponse.res.end (/usr/lib/node_modules/lite-server/node_modules/connect-logger/lib/logger.js:41:17) at Array.write (/usr/lib/node_modules/lite-server/node_modules/finalhandler/index.js:137:9) at listener (/usr/lib/node_modules/lite-server/node_modules/on-finished/index.js:169:15) at onFinish (/usr/lib/node_modules/lite-server/node_modules/on-finished/index.js:100:5) at callback (/usr/lib/node_modules/lite-server/node_modules/ee-first/index.js:55:10) at IncomingMessage.onevent (/usr/lib/node_modules/lite-server/node_modules/ee-first/index.js:93:5) at emitNone (events.js:80:13) at IncomingMessage.emit (events.js:179:7)

lmcnjmiller avatar Jun 22 '16 15:06 lmcnjmiller

Ditto, a simple Nikto scan killed my npm-lite. Workarounds?

Speculor avatar Jul 14 '16 04:07 Speculor

Not what you want to hear but removing the whole line of code worked to stop killing my npm-lite.

RookTKO avatar Feb 11 '19 06:02 RookTKO

this is still a current problem. Can someone upload an npm package that would fix this problem?

MakcStudio avatar Jul 05 '23 16:07 MakcStudio

After poking around in the code, I found a solution to this problem. you just need to disable the standard middleware. Here is an example via file: bs-config.json

{ "port": 1234, "server": { "baseDir": "./dist", "middleware": { "0": null } }, "ui": false, "notify": false, "ghostMode": false, "snippet": false, "online": false }

MakcStudio avatar Jul 05 '23 16:07 MakcStudio