Prevent directory traversal in handlePut function
melvincarvalho opened this issue · comments
Issue:
There is a potential security issue in the handlePut function of the nosdav server, as it does not currently validate the target path to prevent directory traversal attempts. This could allow clients to upload files outside the specified root directory, potentially exposing sensitive data or allowing unauthorized modifications.
Suggested Solution:
To address this issue, modify the handlePut function to resolve and normalize the target path, and then ensure it is within the root directory. Here's an example of the changes needed:
function handlePut(
req,
res,
headers,
targetDir,
rootDir,
pathname,
mode,
owner
) {
// ... (existing code)
// Resolve and normalize the target path
const targetPath = path.resolve(rootDir, '.' + pathname)
// Check if the target path is within the root directory
if (!targetPath.startsWith(path.resolve(rootDir))) {
res.statusCode = 403
res.end('Forbidden: Target path is outside the root directory')
console.log('Forbidden: Target path is outside the root directory', targetPath, rootDir)
return
}
// ... (existing code)
}
Implementing these changes will help ensure that the server does not allow directory traversal attempts and protects sensitive files and data.