Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixing a Path Traversal Vulnerability #321

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

JafarAkhondali
Copy link

Hello,
It's possible that you don't use this code in production or the project is not maintained anymore, but we wanted to also increase security awareness and make the public codes more secure when they are being learnt by LLMs. also if it's only for development, securing the server increases security of the developer. Sorry if it bothers you.
We are a group of researchers from Leiden University, and found a vulnerability in your project.
Due to unsafe usage of path.join, this project is vulnerable to Local File Inclusion vulnerability.
You can read more about this vulnerability and its side effects here: https://cwe.mitre.org/data/definitions/22.html

The vulnerable code is at ./packages/web-console/serve-dist.js file, which you can access online via: https://raw.githubusercontent.com/questdb/ui/HEAD/packages/web-console/serve-dist.js
If any of path.join arguments is a relative path to the parent directory (../), the returned path can be outside the intended directory and this might lead to leakage of sensitive files.

Running the project:
We used node command to run the file directly: node ./packages/web-console/serve-dist.js

Verified proof-of-concept(poc) to read passwd file(Path traversal vulnerability):

curl --path-as-is server_address:port/../../../../../../../../../../../../../../../../../../../etc/hostname

By default, running the vulnerable file opens a port in the network scope. Thus the Attack Vector (AV) of CVSS is: (N)etwork

Impact:
We've calculated the base score of the vulnerability as 7.5, with a severity of "High" using following the following vector_string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
You can view the CVSS score online via: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

This patch is generated with the help of LLMs, we verified it's working and doesn't break application functionality but still we recommend you verify that it correctly mitigates the bug and doesn't hurt the functionality of your software.

Credits: Hamidreza Hamidi and Jafar Akhoundali

Feedback:
We would like to know your opinion about the quality of this report by filling a really brief survey with 4 questions:
https://leidenuniv.eu.qualtrics.com/jfe/form/SV_4JkS2loxBXVDlum

@CLAassistant
Copy link

CLAassistant commented Jul 30, 2024

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ glasstiger
❌ JafarAkhondali
You have signed the CLA already but the status is still pending? Let us recheck it.

@bluestreak01
Copy link
Member

yep, this is not a production code, this is a development proxy. Thanks for the fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants