GHSA-cfqx-f43m-vfh7 – @saltcorn/server

Package

Manager: npm
Name: @saltcorn/server
Vulnerable Version: >=0 <1.0.0-beta.14

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

EPSS: N/A pctlN/A

Details

@saltcorn/server arbitrary file and directory listing when accessing build mobile app results ### Summary A user with admin permission can read arbitrary file and directory names on the filesystem by calling the `admin/build-mobile-app/result?build_dir_name=` endpoint. The `build_dir_name` parameter is not properly validated and it's then used to construct the `buildDir` that is read. The file/directory names under the `buildDir` will be returned. ### Details - file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/admin.js#L2884-L2893 ```js router.get( "/build-mobile-app/result", isAdmin, error_catcher(async (req, res) => { const { build_dir_name } = req.query; // [1] source const rootFolder = await File.rootFolder(); const buildDir = path.join( rootFolder.location, "mobile_app", build_dir_name // [2] ); const files = await Promise.all( fs .readdirSync(buildDir) // [3] sink .map(async (outFile) => await File.from_file_on_disk(outFile, buildDir)) ); [...] }) ); ``` ### PoC - log into the application as an admin user - visit the following url: `http://localhost:3000/admin/build-mobile-app/result?build_dir_name=/../../../../../../../../` **NOTE**: it's possible to only see file and directory names but not to download their content. ### Impact Information disclosure ### Recommended Mitigation Resolve the `buildDir` and check if it starts with `${rootFolder.location}/mobile_app`.

Metadata

Created: 2024-10-03T19:46:42Z
Modified: 2024-10-03T19:46:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-cfqx-f43m-vfh7/GHSA-cfqx-f43m-vfh7.json
CWE IDs: ["CWE-548"]
Alternative ID: N/A
Finding: F063
Auto approve: 1