Skip to content

Fix SimpleWeb arbitrary file read vulnurability #829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jan 25, 2023
Merged

Fix SimpleWeb arbitrary file read vulnurability #829

merged 7 commits into from
Jan 25, 2023

Conversation

safijari
Copy link
Contributor

Description

Fix for this using std::filesystem and computing relative paths.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Dependency update (updates to dependencies)
  • Documentation update (changes to documentation)
  • Repository update (changes to repository files, e.g. .github/...)

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have added or updated the in code docstring/documentation-blocks for new or existing methods/components

Branch Updates

LizardByte requires that branches be up-to-date before merging. This means that after any PR is merged, this branch
must be updated before it can be merged. You must also
Allow edits from maintainers.

  • I want maintainers to keep my branch updated

ReenigneArcher
ReenigneArcher reviewed Jan 24, 2023
View reviewed changes
@safijari safijari marked this pull request as ready for review January 25, 2023 03:04
TheElixZammuto
TheElixZammuto reviewed Jan 25, 2023
View reviewed changes
src/confighttp.cpp Outdated
response->write(SimpleWeb::StatusCode::success_ok, in, headers);
else if(!isChildPath(filePath, nodeModulesPath)) {
BOOST_LOG(warning) << "Someone requested a path " << filePath << " that is outside the node_modules folder";
response->write(SimpleWeb::StatusCode::client_error_bad_request, "Not Authorized");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would still log the attempt, but give 404 nevertheless. The attacker shouldn't know if the file exists or not

Copy link
Contributor Author

@safijari safijari Jan 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about a straight up 400 with no other info. We can do the 400 in the case that the path is outside the node modules even if it doesn't exist. That way there would be no way to map out the user's computer.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok I've made that change in my latest commit and it seems to work as expected. Lemme know your thoughts.

@ReenigneArcher ReenigneArcher mentioned this pull request Jan 25, 2023
Closed
11 tasks
@ReenigneArcher ReenigneArcher changed the title Alternate PR for SimpleWeb arbitrary file read vulnurability Fix SimpleWeb arbitrary file read vulnurability Jan 25, 2023
@ReenigneArcher ReenigneArcher merged commit 35b6608 into LizardByte:nightly Jan 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ReenigneArcher ReenigneArcher ReenigneArcher left review comments

+1 more reviewer

@TheElixZammuto TheElixZammuto TheElixZammuto left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@safijari @TheElixZammuto @ReenigneArcher @LizardByte-bot