Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OS directory traversal vulnerability #697

Closed
vikram-chaitanya opened this issue Jul 27, 2015 · 2 comments
Closed

OS directory traversal vulnerability #697

vikram-chaitanya opened this issue Jul 27, 2015 · 2 comments
Assignees
Labels

Comments

@vikram-chaitanya
Copy link

Hi,

I am using geddy in my app and wanted to prevent serving static file other than public(i dont even need public files). But i don't see anyway to achieve this, by default geddy is opening up not only public folder but the underlying os folders also.

As an example if i try to hit my application using http://localhost:4000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd geddy is serving the output as it doesn't match the routes and its a static file - https://github.com/geddy/geddy/blob/master/lib/app/index.js#L187

Is there anyway to prevent this with some configuration by completely blocking static asset serving by geddy?

@vikram-chaitanya vikram-chaitanya changed the title OS directory traversal vulnerability issue OS directory traversal vulnerability Jul 27, 2015
@phanect phanect self-assigned this Jul 27, 2015
@phanect phanect added the Bug label Jul 27, 2015
This was referenced Jul 27, 2015
@phanect
Copy link
Member

phanect commented Jul 27, 2015

Fixed in #699.
We'll soon release it.

@phanect phanect closed this as completed Jul 27, 2015
@phanect
Copy link
Member

phanect commented Jul 28, 2015

Released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants