search

getnikola / nikola

A static website and blog generator
https://getnikola.com/
MIT License
2.62k stars 450 forks source link

Directory traversal vulnerability #3755

Closed Dreamsorcerer closed 10 months ago

Dreamsorcerer commented 10 months ago

I can't find any information about security reporting, so I'll just put this here. It appears that this project may have copied some code from aiohttp, which we've recently discovered is vulnerable to a directory traversal attack: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f

The similar-looking code is at: https://github.com/getnikola/nikola/blob/2f5cf49a8da230e31c91c8a7ad2a2689cde1fe43/nikola/plugins/command/auto/__init__.py#L543

Please verify if your code is vulnerable and fix if appropriate. The patch we used for aiohttp is https://github.com/aio-libs/aiohttp/pull/8079/files

Kwpolska commented 10 months ago

Thanks for the report. We don’t have a formal security reporting workflow, because Nikola is expected to be run on personal machines, and the nikola auto server should never be exposed to the public Internet. Feel free to take a look at PR #3756.