Jark
commented
5 years ago Hi Versacall,
That's definitely a bug, it should not allow you to get files below the basePath.
What you could do to get around this is either copying the StaticFileRouteHandler class or creating a wrapper around StaticFileRouteHandler that throws an exception when a . or .. is specified in the request uri.
The proper fix should:
- resolve the
filePathto a full absolute path (so without . and .. in the file path) - check that the filePath starts with the basePath, if not, return a bad response
Are you willing / able to attempt fixing this? If not I can probably implement & push a fix this week.
Cheers,
Jark
young-versacall
We have an application running on a Win 10 IoT Core raspberry pi using restup. But it was flagged with a vulnerability from a scan from IT.
Basically if you send something like this from Postman. It returns the contents of the C:\windows\win.ini file.
GET: 192.168.100.37:80/../../../../../../../../../../windows/win.ini
Is there any way to prevent it from going beyond the root of the application? I didn't see anything in the documentation that indicated such an option. I'm not sure if it allows writes/POSTs to those folders but IT is on my case about blocking this vulnerability.