search

gabrielcsapo / node-git-server

🎡 A configurable git server written in Node.js
https://gabrielcsapo.github.io/node-git-server
MIT License
253 stars 73 forks source link

Security Issue #62

Closed masasron closed 4 years ago

masasron commented 4 years ago

It is currently possible to overwrite the repoDir by sending a repository name that starts with /, the path.resolve method prioritizes the second argument see the example below.

path.resolve("/my/repo/folder","/etc");
// /etc

This behavior gives an attacker the ability to push/pull/clone repositories from an arbitrary absolute path, this could also impact authentication in some cases as it corrupts the repository name.

Reproduction The following will clone a repository from an absolute path.

git clone http://localhost:7005//Users/root/Desktop/testrepo.git ./cloned-from-desktop

The same technique could be used for git push/pull

gabrielcsapo commented 4 years ago

Thank you for the fix, merging and publishing this now.