Open EvanKnowles opened 8 years ago
Ive ran into the same thing. It happens with any uri containing a "%" and ".." respectively.
Browser Output
Cannot GET /%j..
Server Output
Local: http://localhost:3000 External: http://172.17.0.4:3000
UI: http://localhost:3001
UI External: http://172.17.0.4:3001
[BS] Serving files from: ./ [BS] Watching files... 16.06.22 15:20:32 304 GET /index.html 16.06.22 15:20:45 304 GET /index.html /usr/lib/node_modules/lite-server/node_modules/connect-logger/lib/logger.js:15 format = format.replace(/%url/g, "\x1b[90m" + (decodeURI((url.parse(req.url)).pathname)) + "\x1b[0m"); ^
URIError: URI malformed at decodeURI (native) at parse (/usr/lib/node_modules/lite-server/node_modules/connect-logger/lib/logger.js:15:52) at ServerResponse.res.end (/usr/lib/node_modules/lite-server/node_modules/connect-logger/lib/logger.js:41:17) at Array.write (/usr/lib/node_modules/lite-server/node_modules/finalhandler/index.js:137:9) at listener (/usr/lib/node_modules/lite-server/node_modules/on-finished/index.js:169:15) at onFinish (/usr/lib/node_modules/lite-server/node_modules/on-finished/index.js:100:5) at callback (/usr/lib/node_modules/lite-server/node_modules/ee-first/index.js:55:10) at IncomingMessage.onevent (/usr/lib/node_modules/lite-server/node_modules/ee-first/index.js:93:5) at emitNone (events.js:80:13) at IncomingMessage.emit (events.js:179:7)
Ditto, a simple Nikto scan killed my npm-lite. Workarounds?
Not what you want to hear but removing the whole line of code worked to stop killing my npm-lite.
this is still a current problem. Can someone upload an npm package that would fix this problem?
After poking around in the code, I found a solution to this problem. you just need to disable the standard middleware. Here is an example via file: bs-config.json
{ "port": 1234, "server": { "baseDir": "./dist", "middleware": { "0": null } }, "ui": false, "notify": false, "ghostMode": false, "snippet": false, "online": false }
Server crashes on directory traversal attempt with invalid UTF-8 character
A scheduled scan kicked off on our network and crashed my npm-lite server. Checking the logs, the crash was on a GET for /%80../%80../%80../%80../%80../%80../windows/win.ini
%80 is not a valid URL encoded character under UTF-8, which may be why it crashed.
Bug repro steps
Environment
lite-server
version: 2.2.0nodejs
version: v4.4.5npm
version: 2.15.5Server log:
[1] D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\connect-logger\lib\logger.js:15 [1] format = format.replace(/%url/g, "\x1b[90m" + (decodeURI((url.parse(req.url)).pathname)) + "\x1b[0m"); [1] ^ [1] [1] URIError: URI malformed [1] at decodeURI (native) [1] at parse (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\connect-logger\lib\logger.js:15:52) [1] at ServerResponse.res.end (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\connect-logger\lib\logger.js:41:17) [1] at Array.write (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\index.js:137:9) [1] at listener (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\node_modules\on-finished\index.js:169:15) [1] at onFinish (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\node_modules\on-finished\index.js:100:5) [1] at callback (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\node_modules\on-finished\node_modules\ee-first\index.js:55:10) [1] at IncomingMessage.onevent (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\node_modules\on-finished\node_modules\ee-first\index.js:93:5) [1] at emitNone (events.js:67:13) [1] at IncomingMessage.emit (events.js:166:7) [1]