[Bug] LocalFileSystem driver always allowing reading absolute paths is a major security vulnerability.
OJezu opened this issue · comments
If path is not normalized before being passed, and coming from a user, anyone can read any files on the host machine. E.g.
const flydrive = new LocalFileSystem({root: '/var/www/app/images'});
app.get('/image', async (req, res) => {
res.send(await flydrive.getBuffer(req.query.path));
}
Then requesting http://example.com/thumbnail?path=/etc/passwd
or http://example.com/thumbnail?path=../../../../etc/passwd
will return contents of /etc/passwd
LocalFileSystem should treat all paths as relative, and perform normalization before joining root path to file path.
@RomainLanz I already tested this.
path.join(this.$root, path.join('/', filename))
It's in this commit: gamfi@57179e0
And a lot of other things:
https://github.com/gamfi/flydrive/tree/feature/api-cleanup
It's an opinionated rewrite:
- removing features which were implemented by only one storage (append and prepend)
- adding metadata and headers support, but removing
getStat
- removing
getString
as loading files to string is not advised (Buffers have.toString
, anyway), - creating a single test suit ran against all storages (as the tests where using many methods per test anyway),
- dropping japa in favor of jest, as more feature-packed - japa is fast, but cannot even filter tests by name.
- testing against real s3 always.