Closed daFritz84 closed 4 years ago
Hi,
there seems to be a severe security issue in web.js on line 162: Link
Calls to 'files delete' are unchecked and can be exploited to delete the entire installation. E.g., I was successful in removing package.json with the following code:
curl --request DELETE \ --url http://<IP_TO_YOUR_INSTALLATION>:3000/api/files \ --header 'content-type: application/x-www-form-urlencoded' \ --data file=package-lock.json
I propose only to allow the deletion of items in the commands subdirectory.
Thanks for the security note. Guess sending parent folders as well you really could start deleting things. I've limited it to the commands folder.
Hi,
there seems to be a severe security issue in web.js on line 162: Link
Calls to 'files delete' are unchecked and can be exploited to delete the entire installation. E.g., I was successful in removing package.json with the following code:
curl --request DELETE \ --url http://<IP_TO_YOUR_INSTALLATION>:3000/api/files \ --header 'content-type: application/x-www-form-urlencoded' \ --data file=package-lock.json
I propose only to allow the deletion of items in the commands subdirectory.