Hello,
It's possible that you don't use this code in production or the project is not maintained anymore, but we wanted to also increase security awareness. Also if it's only for development, securing the server increases security of the developer. Sorry if it bothers you.
We are a group of researchers from Leiden University, and found a vulnerability in your project.
Due to unsafe usage of pathname used in file reads, this project is vulnerable to Local File Inclusion vulnerability.
You can read more about this vulnerability and its side effects here: https://cwe.mitre.org/data/definitions/22.html
The vulnerable code is at ./samples/server.js file, which you can access online via: https://raw.githubusercontent.com/w3c/webcodecs/HEAD/samples/server.js
If the pathname of the URL is a relative path (e.g.: ../), the returned path can be outside the intended directory and this might lead to leakage of sensitive files.
Running the project:
We used node command to run the file directly: node ./samples/server.js
Verified proof-of-concept(poc) to read hostname file(Path traversal vulnerability):
This patch is generated with the help of LLMs, we verified it's working and doesn't break application functionality but still we HIGHLY recommend you verify that it correctly mitigates the bug and doesn't hurt the functionality of your software.
Hello, It's possible that you don't use this code in production or the project is not maintained anymore, but we wanted to also increase security awareness. Also if it's only for development, securing the server increases security of the developer. Sorry if it bothers you. We are a group of researchers from Leiden University, and found a vulnerability in your project. Due to unsafe usage of pathname used in file reads, this project is vulnerable to Local File Inclusion vulnerability. You can read more about this vulnerability and its side effects here: https://cwe.mitre.org/data/definitions/22.html
The vulnerable code is at ./samples/server.js file, which you can access online via: https://raw.githubusercontent.com/w3c/webcodecs/HEAD/samples/server.js If the pathname of the URL is a relative path (e.g.: ../), the returned path can be outside the intended directory and this might lead to leakage of sensitive files.
Running the project: We used node command to run the file directly:
node ./samples/server.js
Verified proof-of-concept(poc) to read hostname file(Path traversal vulnerability):
By default, running the vulnerable file opens a port in the localhost only scope. Thus the Attack Vector (AV) of CVSS is: (A)djacent
Impact: We've calculated the base score of the vulnerability (as proposal) as 6.1, with a severity of "Medium" using following the following vector_string: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N You can view the CVSS score online via: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
This patch is generated with the help of LLMs, we verified it's working and doesn't break application functionality but still we HIGHLY recommend you verify that it correctly mitigates the bug and doesn't hurt the functionality of your software.
Credits: Hamidreza Hamidi and Jafar Akhoundali
Feedback: We would like to know your opinion about the quality of this report by filling a really brief survey with 4 questions: https://leidenuniv.eu.qualtrics.com/jfe/form/SV_4JkS2loxBXVDlum