Security Fix for Path Traversal - huntr.dev

[huntr-helper]

https://huntr.dev/users/Mik317 has fixed the Path Traversal vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/httpster/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-httpster

⚙️ Description *

The httpster file server was vulnerable against a path traversal issue which existed because symlinks were fetched and their content served without any warn/error.

💻 Technical Description *

I inserted a new router inside the express server which was created by httpster and used fs.lstat to check if the requested file is or not a symlink.
In case it is and the --symlink flag isn't specified by the server (default false like in other servers like Nginx), an error is thrown.

🐛 Proof of Concept (PoC) *

1. Download httpster
2. ln -s /etc/passwd test
3. httpster
4. Go on http://localhost:3333/test and the content of the /etc/passwd file is shown

🔥 Proof of Fix (PoF) *

1. Same steps above, but an error is given instead of the content of the /etc/passwd file

1. Same steps but start the server with httpster --symlink and the /etc/passwd file is shown (option)

👍 User Acceptance Testing (UAT)

All ok 😄

[JamieSlome]

@simb - let me know if you have any questions or thoughts.

Cheers! 🍰