Summary
Missing check vulnerability in the static file handler allows any client to access the files in the server's file system
Details
When staticFiles
is set in the serve
settings in the configuration file, the following handler doesn't check if absolutePath
is still under the directory provided as staticFiles
;
if (staticFiles) {
router.get('/:relativePath+', async request => {
let { relativePath } = request.params;
if (!relativePath) {
relativePath = 'index.html';
}
const absolutePath = path.join(baseDir, staticFiles, relativePath);
if (absolutePath.includes(staticFiles) && (await pathExists(absolutePath))) {
const readStream = fs.createReadStream(absolutePath);
return new Response(readStream as any, {
status: 200,
});
}
return undefined;
});
Example scenario
To reproduce it, set staticFiles
to the relative path of a directory in .meshrc.yml
;
serve:
staticFiles: ./public
Then start the server with mesh dev
, and browse to /..%2fpackage.json
then you will see the content of package.json
. You can even go deeper to see sensitive data; /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
Impact and solution
If staticFiles
is set under serve
in the configuration file. you have two options to fix vulnerability;
- Update
@graphql-mesh/cli
to a version higher than 0.82.21
, and if you use @graphql-mesh/http
, update it to a version higher than 0.3.18
- Remove
staticFiles
option from the configuration, and use other solutions to serve static files.
Credits
Thanks [email protected] for reporting this vulnerability with details
References
Summary
Missing check vulnerability in the static file handler allows any client to access the files in the server's file system
Details
When
staticFiles
is set in theserve
settings in the configuration file, the following handler doesn't check ifabsolutePath
is still under the directory provided asstaticFiles
;Example scenario
To reproduce it, set
staticFiles
to the relative path of a directory in.meshrc.yml
;Then start the server with
mesh dev
, and browse to/..%2fpackage.json
then you will see the content ofpackage.json
. You can even go deeper to see sensitive data;/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
Impact and solution
If
staticFiles
is set underserve
in the configuration file. you have two options to fix vulnerability;@graphql-mesh/cli
to a version higher than0.82.21
, and if you use@graphql-mesh/http
, update it to a version higher than0.3.18
staticFiles
option from the configuration, and use other solutions to serve static files.Credits
Thanks [email protected] for reporting this vulnerability with details
References