Fix Path traversal vulnerability

[alromh87]

📊 Metadata *

marscode is a web editor created with monaco-editor, jquery file tree and nodejs file tree to read, write, edit, delete (CRUD) files.

Affected versions of this package are vulnerable to Directory Traversal.

Bounty URL: https://www.huntr.dev/bounties/1-npm-marscode/

⚙️ Description *

There is no path sanitization in the path provided making marscode vulnerable against path traversal through the ../ technique, leading to information exposure and file content disclosure.

💻 Technical Description *

Fixed by sanitizing any occurrence of ../, using regexp.

🐛 Proof of Concept (PoC) *

1. Start the server
   node index.js
2. Request private file from server
   curl -v --path-as-is http://127.0.0.1:8080/../../../../../../../../../../../etc/passwd
3. /etc/passwd will be displayed.
   

🔥 Proof of Fix (PoF) *

After fix Response code 400 Bad request is returned to user instead of restricted file content

👍 User Acceptance Testing (UAT)

After fix functionality is unafected

[Mik317]

Hi @alromh87 😄,
thanks for your help in securing the OSS 👍

The fix proposed is bypassable due to the usage of querystring.unescape which is used when the /api/.. endpoint is called. Try these steps:

1. Start your server (fixed version) with node index.js
2. Open another terminal and execute:

curl --path-as-is http://localtest.me:8080/api/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

Cheers,
Mik

[alromh87]

Thank you for calling my attention to it, taken care of

[Mik317]

Really solid fix 😄 🎉

Cheers,
Mik

[huntr-helper]

Congratulations alromh87 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section. Your bounty is on its way - keep hunting!