[FIX] Path traversal through Symlink files

[Mik317]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-superstatic

⚙️ Description *

The superstatic server was vulnerable against a path traversal issue which occurred because symlink files where showed, leading to dangerous scenario which could be exploitable.

💻 Technical Description *

In order to avoid the issue, I added the possibility to simply check if the symlink option flag has been set when starting the server. If symlink flag is passed when invoking the superstatic command, the symlinks are showed and fetched successfully, whereas when symlink flag is missed, it's showed a 404 error.

The added flag makes possible switching really simply between the 2 options, and I added a bit of doc in the README to be sure people aware of the options it-self and risks.

Finally, the default value of the symlink flag is false (security reason, shares the same concept of other webserver like Nginx) and if devs are using the lib version, it's necessary just switching the default value to true in case they want to serve also symlink files.

🐛 Proof of Concept (PoC) *

1. Install
2. Go on the bin dir
3. ./server
4. Create a symlink like ln -s /etc/passwd test
5. Go on http://localhost:3474/test
6. Content of /etc/passwd showed

🔥 Proof of Fix (PoF) *

Same steps with fixed version

Using the symlink flag:

Without symlink flag:

👍 User Acceptance Testing (UAT)

Seems all OK 👍

[mufeedvh]

Good fix! 👏🎉

[huntr-helper]

Congratulations Mik317 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section. Your bounty is on its way - keep hunting!