Issue #120: Path Traversal Vulnerability via Illegal URL Destination Parameter
Problem:
Normally, when passing the destination parameter, a file is downloaded. However, if characters like ../ are added and passed as a parameter after URL encoding, it enables access to files outside of the directory. For instance, the string ../test/jest-e2e.json, when URL encoded, can be passed as the destination parameter: localhost:3000/files/download/..%2Ftest%2Fjest-e2e.json. This results in the file being served as a response, potentially exposing sensitive information.
How to Recreate:
Pass a URL-encoded string containing ../ as the destination parameter.
Access the corresponding endpoint, for example: localhost:3000/files/download/..%2Ftest%2Fjest-e2e.json.
The content of the jest-e2e.json file is served as a response, revealing potentially sensitive data.
Solution:
To mitigate this vulnerability, we need to validate the destination parameter to ensure it does not contain any illegal characters or patterns that could lead to path traversal attacks. We can achieve this by implementing server-side validation and rejecting requests with invalid destination parameters.
Changes:
Implement validation checks for the destination parameter in the affected endpoint handler controller.
If the destination parameter contains illegal characters or patterns indicative of path traversal attempts, return an appropriate error response and do not serve the requested file.
Test Cases
Allowed Test Cases:
The following folder structure and test cases are considered safe:
new.txt
demo.c
new1232.js
Rejected Test Cases:
Requests attempting to access ../.env after URL encoding, which may leak information stored in the .env file, are rejected:
Issue #120: Path Traversal Vulnerability via Illegal URL Destination Parameter
Problem: Normally, when passing the destination parameter, a file is downloaded. However, if characters like
../
are added and passed as a parameter after URL encoding, it enables access to files outside of the directory. For instance, the string../test/jest-e2e.json
, when URL encoded, can be passed as the destination parameter:localhost:3000/files/download/..%2Ftest%2Fjest-e2e.json
. This results in the file being served as a response, potentially exposing sensitive information.How to Recreate:
../
as the destination parameter.localhost:3000/files/download/..%2Ftest%2Fjest-e2e.json
.jest-e2e.json
file is served as a response, revealing potentially sensitive data.Solution: To mitigate this vulnerability, we need to validate the destination parameter to ensure it does not contain any illegal characters or patterns that could lead to path traversal attacks. We can achieve this by implementing server-side validation and rejecting requests with invalid destination parameters.
Changes:
Test Cases
Allowed Test Cases: The following folder structure and test cases are considered safe:
new.txt
demo.c
new1232.js
Rejected Test Cases: Requests attempting to access![Rejected Request](https://github.com/SamagraX-Stencil/stencil/assets/147340395/0eaaeac9-4b29-4daa-ae60-1a3d58a876db)
../.env
after URL encoding, which may leak information stored in the.env
file, are rejected: