search

creationix / weblit

A web framework for luvit 2.0 and lit
MIT License
110 stars 24 forks source link

Serious unwanted root directory access. #19

Closed TSnake41 closed 5 years ago

TSnake41 commented 6 years ago

Using an extra path separator '/', we can acces to root directory (which is a very serious security issue).

For example : http://127.0.0.1:8080// It works with luvit.io : http://luvit.io//

danopia commented 6 years ago

Yea I mean this is pretty bad, you're serving your app source @ http://luvit.io//app/server.lua

The bug could be as simple as path.join('/static', '/etc/passwd') just becoming '/etc/passwd'

You also seem to have a weird .. interaction, in that requesting /../ (browsers/curl strip it so use telnet) returns a directory listing of the root instead of the index.html.

ryanford commented 6 years ago

Any fix for this yet?

lawrencehoffman commented 6 years ago

I've been messing with weblit and saw this issue. I can't seem to reproduce it locally with the following 

$ lit init
$ lit install creationix/weblit

server.lua contains:

require('weblit-app')

  .bind({
    host = "0.0.0.0",
    port = 8080
  })

  .use(require('weblit-logger'))
  .use(require('weblit-auto-headers'))
  .use(require('weblit-etag-cache'))

  .route({
    method = "GET",
    path = "/",
  }, function (req, res, go)
        res.body = "Hello world"
  end)

  .start()

Running with

$ luvit server.lua

Gets me

HTTP/1.1 404 Not Found
Server: test v0.0.1
Date: Wed, 31 Oct 2018 16:47:00 GMT
Connection: Keep-Alive
Content-Length: 10
Content-Type: text/plain

Body: "Not Found"

When I try to access 

http://0.0.0.0:8080//

I've also tried ../' and a whole bunch of other strings.

So... Maybe this repository is behind wherever the lit command pulls from?

danopia commented 6 years ago

My understanding is that this is a security bug in the weblit-static module. If you don't serve any static content from the file system, you probably won't encounter this.

Try enabling this to get a repro: https://github.com/creationix/weblit/blob/master/libs/weblit-static.lua

creationix commented 5 years ago

Wow, what was I thinking when I wrote this?!

So the real bug is in the coro-fs library's chroot helper which shouldn't allow leaving the chroot.

I fixed the root cause in coro-fs, make sure your apps have updated deps and coro-fs is at least 2.2.2.

Thanks for finding this.