johnpapa / lite-server

Lightweight node server
MIT License
2.31k stars 267 forks source link

Server crashes on directory traversal attempt with invalid UTF-8 character #82

Open EvanKnowles opened 8 years ago

EvanKnowles commented 8 years ago

Server crashes on directory traversal attempt with invalid UTF-8 character

A scheduled scan kicked off on our network and crashed my npm-lite server. Checking the logs, the crash was on a GET for /%80../%80../%80../%80../%80../%80../windows/win.ini

%80 is not a valid URL encoded character under UTF-8, which may be why it crashed.

Bug repro steps

  1. Launch server
  2. Attempt to navigate to /%80../%80../%80../%80../%80../%80../windows/win.ini
  3. Server crashes

    Environment

    • lite-server version: 2.2.0
    • nodejs version: v4.4.5
    • npm version: 2.15.5
    • OS type/version: Win 7 Enterprise 64-bit

Server log:

[1] D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\connect-logger\lib\logger.js:15 [1] format = format.replace(/%url/g, "\x1b[90m" + (decodeURI((url.parse(req.url)).pathname)) + "\x1b[0m"); [1] ^ [1] [1] URIError: URI malformed [1] at decodeURI (native) [1] at parse (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\connect-logger\lib\logger.js:15:52) [1] at ServerResponse.res.end (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\connect-logger\lib\logger.js:41:17) [1] at Array.write (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\index.js:137:9) [1] at listener (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\node_modules\on-finished\index.js:169:15) [1] at onFinish (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\node_modules\on-finished\index.js:100:5) [1] at callback (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\node_modules\on-finished\node_modules\ee-first\index.js:55:10) [1] at IncomingMessage.onevent (D:\testAngular\angular2-typescript-quickstart\node_modules\lite-server\node_modules\browser-sync\node_modules\connect\node_modules\finalhandler\node_modules\on-finished\node_modules\ee-first\index.js:93:5) [1] at emitNone (events.js:67:13) [1] at IncomingMessage.emit (events.js:166:7) [1]

lmcnjmiller commented 8 years ago

Ive ran into the same thing. It happens with any uri containing a "%" and ".." respectively.

Browser Output

Cannot GET /%j..

Server Output


   Local: http://localhost:3000
External: http://172.17.0.4:3000

      UI: http://localhost:3001

UI External: http://172.17.0.4:3001


[BS] Serving files from: ./ [BS] Watching files... 16.06.22 15:20:32 304 GET /index.html 16.06.22 15:20:45 304 GET /index.html /usr/lib/node_modules/lite-server/node_modules/connect-logger/lib/logger.js:15 format = format.replace(/%url/g, "\x1b[90m" + (decodeURI((url.parse(req.url)).pathname)) + "\x1b[0m"); ^

URIError: URI malformed at decodeURI (native) at parse (/usr/lib/node_modules/lite-server/node_modules/connect-logger/lib/logger.js:15:52) at ServerResponse.res.end (/usr/lib/node_modules/lite-server/node_modules/connect-logger/lib/logger.js:41:17) at Array.write (/usr/lib/node_modules/lite-server/node_modules/finalhandler/index.js:137:9) at listener (/usr/lib/node_modules/lite-server/node_modules/on-finished/index.js:169:15) at onFinish (/usr/lib/node_modules/lite-server/node_modules/on-finished/index.js:100:5) at callback (/usr/lib/node_modules/lite-server/node_modules/ee-first/index.js:55:10) at IncomingMessage.onevent (/usr/lib/node_modules/lite-server/node_modules/ee-first/index.js:93:5) at emitNone (events.js:80:13) at IncomingMessage.emit (events.js:179:7)

Speculor commented 8 years ago

Ditto, a simple Nikto scan killed my npm-lite. Workarounds?

RookTKO commented 5 years ago

Not what you want to hear but removing the whole line of code worked to stop killing my npm-lite.

MakcStudio commented 1 year ago

this is still a current problem. Can someone upload an npm package that would fix this problem?

MakcStudio commented 1 year ago

After poking around in the code, I found a solution to this problem. you just need to disable the standard middleware. Here is an example via file: bs-config.json

{ "port": 1234, "server": { "baseDir": "./dist", "middleware": { "0": null } }, "ui": false, "notify": false, "ghostMode": false, "snippet": false, "online": false }