Open
Description
Version
v18.12.0
Platform
Microsoft Windows NT 10.0.22621.0 x64
Subsystem
url
What steps will reproduce the bug?
On networked filesystems on Windows, the getpathfromurlwin32() function in the URL is used.
Where getpathfromurlwin32() functions are used, pass in a malicious parameter,there may be vulnerabilities, such as file reads
return isWindows ? getPathFromURLWin32(path) : getPathFromURLPosix(path);
How often does it reproduce? Is there a required condition?
The code provided will reproduce this issue every time on Windows
What is the expected behavior? Why is that the expected behavior?
No response
What do you see instead?
function getPathFromURLWin32(url) {
const hostname = url.hostname;
let pathname = url.pathname;
for (let n = 0; n < pathname.length; n++) {
if (pathname[n] === '%') {
const third = pathname.codePointAt(n + 2) | 0x20;
if ((pathname[n + 1] === '2' && third === 102) || // 2f 2F /
(pathname[n + 1] === '5' && third === 99)) { // 5c 5C \
throw new ERR_INVALID_FILE_URL_PATH(
'must not include encoded \\ or / characters'
);
}
}
}
pathname = StringPrototypeReplaceAll(pathname, '/', '\\');
pathname = decodeURIComponent(pathname);
if (hostname !== '') {
decoded.
return `\\\\${domainToUnicode(hostname)}${pathname}`;
}
// Otherwise, it's a local path that requires a drive letter
const letter = pathname.codePointAt(1) | 0x20;
const sep = pathname[2];
if (letter < CHAR_LOWERCASE_A || letter > CHAR_LOWERCASE_Z || // a..z A..Z
(sep !== ':')) {
throw new ERR_INVALID_FILE_URL_PATH('must be absolute');
}
return pathname.slice(1);
}在这个函数下,当我传入参数值为%20E://fl%2561g.txt,那么我可以成功读取文件
Additional information
No response