From d4983148508a7ddaeb095ab01db6b3bf995ee23f Mon Sep 17 00:00:00 2001 From: Martin Probst Date: Thu, 29 Aug 2019 12:12:45 +0200 Subject: [PATCH] fix(zone.js): a path traversal attack in test (#32392) `simple-server.js` is vulnerable to a trivial path traversal attack, i.e. an attacker can supply a path like `../../etc/passwd` to read arbitrary files on the server. This change fixes the issue by properly resolving the path, and then only serving files under the current directory (as intended). This is not really a security issue, given the code is not part of Angular, but rather just testing infrastructure for Angular itself, and the CI servers are not expected to contain confidential information, but still worth fixing for code hygiene. PR Close #32392 --- packages/zone.js/simple-server.js | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/packages/zone.js/simple-server.js b/packages/zone.js/simple-server.js index 525883b2ef..a31998a74d 100644 --- a/packages/zone.js/simple-server.js +++ b/packages/zone.js/simple-server.js @@ -13,22 +13,31 @@ let server; const localFolder = __dirname; +function writeNotFound(res) { + res.writeHead(404, {'Content-Type': 'text/html'}); + res.end('

404, Not Found!

'); +} + function requestHandler(req, res) { if (req.url === '/close') { res.end('server closing'); setTimeout(() => { process.exit(0); }, 1000); } else { - const file = localFolder + req.url; + const file = path.resolve(localFolder, req.url); + if (!file.startsWith(localFolder + '/')) { + writeNotFound(res); + return; + } fs.readFile(file, function(err, contents) { if (!err) { res.end(contents); } else { - res.writeHead(404, {'Content-Type': 'text/html'}); - res.end('

404, Not Found!

'); + writeNotFound(res); + return; }; }); }; }; -server = http.createServer(requestHandler).listen(8080); \ No newline at end of file +server = http.createServer(requestHandler).listen(8080);