From bfd46f6e946f9ed277e649689d702ed1feaaa1db Mon Sep 17 00:00:00 2001 From: jfarrell Date: Thu, 4 Oct 2018 23:00:28 -0400 Subject: [PATCH] [PATCH] Thrift-4647: Node.js Filesever webroot fixed path Updates the node.js fileserver to have a fixed based webroot which can not be escaped by end users. Gbp-Pq: Name CVE-2018-11798_Node.js_Filesever_webroot_fixed_path.patch --- lib/js/test/server_http.js | 2 +- lib/js/test/server_https.js | 2 +- lib/nodejs/lib/thrift/web_server.js | 10 +++++++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/lib/js/test/server_http.js b/lib/js/test/server_http.js index 1115474..02fa54a 100644 --- a/lib/js/test/server_http.js +++ b/lib/js/test/server_http.js @@ -36,7 +36,7 @@ var ThriftTestSvcOpt = { }; var ThriftWebServerOptions = { - files: '.', + files: __dirname, services: { '/service': ThriftTestSvcOpt } diff --git a/lib/js/test/server_https.js b/lib/js/test/server_https.js index 7e78d9e..abd25c1 100644 --- a/lib/js/test/server_https.js +++ b/lib/js/test/server_https.js @@ -40,7 +40,7 @@ var ThriftTestSvcOpt = { }; var ThriftWebServerOptions = { - files: '.', + files: __dirname, tls: { key: fs.readFileSync('../../../test/keys/server.key'), cert: fs.readFileSync('../../../test/keys/server.crt') diff --git a/lib/nodejs/lib/thrift/web_server.js b/lib/nodejs/lib/thrift/web_server.js index 0093c8a..a33f47a 100644 --- a/lib/nodejs/lib/thrift/web_server.js +++ b/lib/nodejs/lib/thrift/web_server.js @@ -415,7 +415,15 @@ exports.createWebServer = function(options) { //Locate the file requested and send it var uri = url.parse(request.url).pathname; - var filename = path.join(baseDir, uri); + var filename = path.resolve(path.join(baseDir, uri)); + + //Ensure the basedir path is not able to be escaped + if (filename.indexOf(baseDir) != 0) { + response.writeHead(400, "Invalid request path", {}); + response.end(); + return; + } + fs.exists(filename, function(exists) { if(!exists) { response.writeHead(404); -- 2.30.2