-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Different URL parsing between fastify and URL whatwg standard #5204
Comments
Security reports should follow the security process at https://github.com/fastify/fastify/blob/main/SECURITY.md. Reporting them in public poses a significant threat to the community and likely your employer as well (if you are using Fastify in production). Causing data leaks and security incidents for your employer could also be a legitimate firing offense in a few legislation - or at least a bad mark in you employment contract. Luckily for you, this is not one. There are almost infinite ways that a |
Hi Matteo and thanks for your response, |
Take a look at https://owasp.org/www-community/attacks/Path_Traversal. Essentially it shows quite an extensive list of possible path traversal attacks. What you do with inputs is up to you. |
@mcollina I think it's not really about the path traversal, but rather that fastify uses a different url parsing than nodejs itself for route matching. If you have an inbound call with |
Hi @mcollina |
I don't think we plan to change the algorithm. More importantly, there are valid use cases for '..' not being interpreted like that. Fastify never aimed to be compatible with the WHATWG Url parsing standard. |
Prerequisites
Fastify version
4.x.x
Plugin version
x.x.x
Node.js version
20.x
Operating system
Linux
Operating system version (i.e. 20.04, 11.3, 10)
22.04
Description
Hi,
when using a http client that parses the URL with the whatwg URL class
../
and./
is evaluated as described in the whatwg standard:https://url.spec.whatwg.org/#url-representation
What this has to do with fastify?
If a requests hits fastify
../
and./
are not evaluated, all the routing is done with the original path.If you then forward the call to another service using
request.raw.url
with a http client that uses the whatwg url class, a path traversal attack is possible.So a completly other path can be called on the target service.
Steps to Reproduce
I have prepared a sample application.
https://github.com/stefanbeigel/whatwg-fastify-path-traversal/blob/main/index.mjs
Call the app with
curl --path-as-is localhost:3000/abc/../foobar
Expected Behavior
Maybe fastify could parse the incoming url with a whatwg compliant url parser and resolve
../
and./
before the handler matching is done and also put the parsed url intorequest.raw.url
The text was updated successfully, but these errors were encountered: