[Security Patch Suggestion] Patch for medium severity vulnerabilities#12
Open
nuang-ee wants to merge 2 commits into
Open
[Security Patch Suggestion] Patch for medium severity vulnerabilities#12nuang-ee wants to merge 2 commits into
nuang-ee wants to merge 2 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Disclaimer
I understand that this repository is not under active maintenance, however I'm leaving this patch for anyone who have decided to use this project.
If this PR is yet not merged into the project, it is recommended to apply this patch by yourself, before using this project!
Description
This PR fixes two medium severity security bugs:
The path confusion problem
Current version of this project fails to properly strip the pathname via config. For an instance, when server is configured as:
Bun.serve({ fetch: serveStatic(".", { stripFromPathname: "/public"})});,/public/images/image.png,/images/public/image.png, and even/imag/publices/image.pngis evaluated into same local filesystem path:{rootDirectory}/images/image.png.This may lead to unintended access to protected files.
The unprotected "dot-directory" access
Current implementation only checks if the last segment of file URL, separated by
/, is starting with.. However, common practice is to prevent access to directories that have name starting with., and all of its children. For instance, directories like.vscode,.gitshould be protected.