From 51cfb247e25fae4abc845429f5c40d2f6a6e3dd4 Mon Sep 17 00:00:00 2001
From: Mufeed VH <mufeedvh@gmail.com>
Date: Sun, 2 Feb 2020 18:33:10 +0530
Subject: [PATCH] Fix for the Unauthorized File Access vulnerability [huntr]

Fix for the Unauthorized File Access vulnerability. This fix prevents access to symlinks pointing to files outside of the project's base directory.

@mufeedvh on huntr.dev
---
 lib/middleware.js | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/lib/middleware.js b/lib/middleware.js
index 19d6c601..7b14f6ab 100644
--- a/lib/middleware.js
+++ b/lib/middleware.js
@@ -517,6 +517,22 @@ exports.process = function(req, rsp, next){
     /**
      * Now we let terraform handle the asset pipeline.
      */
+    
+    // checking if the source file being served is a symlink
+    fs.lstat(sourceFile, function(err, stats) {
+      if (stats.isSymbolicLink()) {
+        fs.readlink(sourceFile, function (err, symlinkTo) {
+          // forbidding access if the symlink points to a file outside of the project's base directory to prevent path traversal
+          var projectPath = path.dirname(require.main.filename) // full path of the project's main file
+          var symlinkPath = path.dirname(symlinkTo)             // full path of the symlink
+          if (projectPath !== symlinkPath) {
+            var body = "403 Forbidden"
+            rsp.statusCode = 403
+            rsp.end(body)
+          }
+        });
+      }
+    });    
 
     req.poly.render(sourceFile, function(error, body){
       if(error){