search

SamagraX-Stencil / stencil

NestJS on steroids 💪
https://stencil.samagra.io
MIT License
28 stars 30 forks source link

Fix : Path traversal by passing illegal url as destiantion [paramter in download file function #120

Open ShivamAher30 opened 3 months ago

ShivamAher30 commented 3 months ago

Problem: Path Traversal Vulnerability via Illegal URL Destination Parameter

How to Recreate:

  1. Normally, when passing the destination parameter, a file is downloaded.
  2. However, if characters like ../ are added and passed as a parameter after URL encoding, it enables access to files outside of the directory.
  3. For instance, the string ../test/jest-e2e.json, when URL encoded, can be passed as the destination parameter: localhost:3000/files/download/..%2Ftest%2Fjest-e2e.json.
  4. This results in the file being served as a response, potentially exposing information.

Response: The content of jest-e2e.json file is served as a response, revealing data:

{
  "moduleFileExtensions": ["js", "json", "ts"],
  "rootDir": ".",
  "testEnvironment": "node",
  "testRegex": ".e2e-spec.ts$",
  "transform": {
    "^.+\\.(t|j)s$": "ts-jest"
  }
}

IMG_20240606_212627