You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using the static middleware, if the URL contains a valid file name and a trailing backslash the node server will crash with Error: ENOENT, no such file or directory.
Place a file called index.html in the /public directory and visit localhost:3000/index.html\ (note the trailing backslash). The node server will crash instead of being handled by the 404 route as expected. Since the node server crashes, this is a pretty easy denial of service attack.
The reason for this behavior (as pointed out by Felix Loether on stackoverflow) seems to be the difference in how fs.stat and fs.createReadStream handle trailing backslashes.
When the string 'path/to/public/index.html' is given to fs.stat in the static middleware, it is ignored (running stat index.html\ on the command line checks for a file named index.html, you'd have to run stat index.html\\ for index.html). So fs.stat thinks the file was found because it thinks you're asking for index.html, and doesn't call the next middleware handler.
Later, that string is passed to fs.createReadStream which thinks it's looking for index.html. It doesn't find that file and throws said error.
To get around this issue, I used a simple custom middleware to strip out trailing backslashes from the request.
When using the static middleware, if the URL contains a valid file name and a trailing backslash the node server will crash with
Error: ENOENT, no such file or directory
.Example server code:
Place a file called
index.html
in the/public
directory and visitlocalhost:3000/index.html\
(note the trailing backslash). The node server will crash instead of being handled by the 404 route as expected. Since the node server crashes, this is a pretty easy denial of service attack.The reason for this behavior (as pointed out by Felix Loether on stackoverflow) seems to be the difference in how
fs.stat
andfs.createReadStream
handle trailing backslashes.When the string 'path/to/public/index.html' is given to fs.stat in the static middleware, it is ignored (running
stat index.html\
on the command line checks for a file named index.html, you'd have to runstat index.html\\
for index.html). Sofs.stat
thinks the file was found because it thinks you're asking for index.html, and doesn't call the next middleware handler.Later, that string is passed to
fs.createReadStream
which thinks it's looking for index.html. It doesn't find that file and throws said error.To get around this issue, I used a simple custom middleware to strip out trailing backslashes from the request.
The text was updated successfully, but these errors were encountered: