Skip to content

OS directory traversal vulnerability #697

Closed
@vikram-chaitanya

Description

Hi,

I am using geddy in my app and wanted to prevent serving static file other than public(i dont even need public files). But i don't see anyway to achieve this, by default geddy is opening up not only public folder but the underlying os folders also.

As an example if i try to hit my application using http://localhost:4000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd geddy is serving the output as it doesn't match the routes and its a static file - https://github.com/geddy/geddy/blob/master/lib/app/index.js#L187

Is there anyway to prevent this with some configuration by completely blocking static asset serving by geddy?

Metadata

Assignees

Labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions