Fix for the Unauthorized File Access vulnerability [huntr]

Fix for the Unauthorized File Access vulnerability. This fix prevents access to symlinks pointing to files outside of the project's base directory. @mufeedvh on huntr.dev
sintaxi · Feb 2, 2020 · 51cfb24 · 51cfb24
1 parent 56924b7
commit 51cfb24
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/lib/middleware.js b/lib/middleware.js
@@ -517,6 +517,22 @@ exports.process = function(req, rsp, next){
     /**
      * Now we let terraform handle the asset pipeline.
      */
+
+    // checking if the source file being served is a symlink
+    fs.lstat(sourceFile, function(err, stats) {
+      if (stats.isSymbolicLink()) {
+        fs.readlink(sourceFile, function (err, symlinkTo) {
+          // forbidding access if the symlink points to a file outside of the project's base directory to prevent path traversal
+          var projectPath = path.dirname(require.main.filename) // full path of the project's main file
+          var symlinkPath = path.dirname(symlinkTo)             // full path of the symlink
+          if (projectPath !== symlinkPath) {
+            var body = "403 Forbidden"
+            rsp.statusCode = 403
+            rsp.end(body)
+          }
+        });
+      }
+    });    
 
     req.poly.render(sourceFile, function(error, body){
       if(error){