Merge pull request #659 from 418sec/master

harp - Unauthorized File Access - Fix:
sintaxi · Jun 6, 2021 · 28611cb · 28611cb
2 parents fbc638f + 4c5f0f5
commit 28611cb
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/lib/middleware.js b/lib/middleware.js
@@ -608,6 +608,22 @@ exports.process = function(req, rsp, next){
     /**
      * Now we let terraform handle the asset pipeline.
      */
+
+    // checking if the source file being served is a symlink
+    fs.lstat(sourceFile, function(err, stats) {
+      if (stats.isSymbolicLink()) {
+        fs.readlink(sourceFile, function (err, symlinkTo) {
+          // forbidding access if the symlink points to a file outside of the project's base directory to prevent path traversal
+          var projectPath = path.dirname(require.main.filename) // full path of the project's main file
+          var symlinkPath = path.dirname(symlinkTo)             // full path of the symlink
+          if (projectPath !== symlinkPath) {
+            var body = "403 Forbidden"
+            rsp.statusCode = 403
+            rsp.end(body)
+          }
+        });
+      }
+    });    
 
     req.poly.render(sourceFile, function(error, body){
       if(error){