New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A directory traversal issue #8
Comments
|
Can you provide a more concrete example? I don't believe that's the case at all. |
|
Sure, see the concrete example below that demonstrates the vulnerability:
var http = require('http');
http.get('http://localhost:3000/../C', (res) => {
res.on('data', (chunk) => {
console.log(chunk.toString());
});
});You can generalize this example a little bit by replacing |
|
Yes, I'm familiar with directory traversal. Directory traversal is not possible because of the router. Start
This was a quick development tool and not intended for production obviously. I hope you're not using it for anything production related. If there's a bug with a specific version of node let me know (e.g. - tested on 4.2.2 and 6.9.2 LTS). Thanks! |
|
Right, If I set up hostr as my local development tool, it serves all files (not just the files in the working directory) on my machine to the local network, which is dangerous. |
|
@JacksonGL The modules in the code were not intended to be used within a project it should be used as an external tool. I hope that makes sense I'm using If your code is imports modules from If your code is external it'll serve the same response: |
|
Thanks for your reply. I try to tell you the vulnerability because it is published on npm and there are over 10k downloads. So I assume that there are some other people using your work as a development tool. Not sure if I understand "using as an external tool" means precisely, I started the server using the PS: I think both |
|
Hmmm. Okay, I'm seeing the issue now. I've added a simple filter. |
|
Awesome! Thanks. |
This package is vulnerable to directory traversal. An attacker can provide input such as
../to read files outside of the specified working directory.The text was updated successfully, but these errors were encountered: