GHSA-rjq5-w47x-x359

Suggest an improvement
Source
https://github.com/advisories/GHSA-rjq5-w47x-x359
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-rjq5-w47x-x359/GHSA-rjq5-w47x-x359.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rjq5-w47x-x359
Aliases
Published
2024-01-23T14:42:51Z
Modified
2024-01-23T14:56:36.796118Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
@hono/node-server cannot handle "double dots" in URL
Details

Impact

Since v1.3.0, we use our own Request object. This is great, but the url behavior is unexpected.

In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request will be in the resolved path.

const req = new Request('http://localhost/static/../foo.txt') // Web-standards
console.log(req.url) // http://localhost/foo.txt

However, the url in our Request does not resolve double dots, so http://localhost/static/.. /foo.txt is returned.

const req = new Request('http://localhost/static/../foo.txt')
console.log(req.url) // http://localhost/static/../foo.txt

It will pass unresolved paths to the web application. This causes vulnerabilities like #123 when using serveStatic.

Note: Modern web browsers and a latest curl command resolve double dots on the client side, so it does not affect you if the user uses them. However, problems may occur if accessed by a client that does not resolve them.

Patches

"v1.4.1" includes the change to fix this issue.

Workarounds

Don't use serveStatic.

References

Affected packages

npm / @hono/node-server

Package

Name
@hono/node-server
View open source insights on deps.dev
Purl
pkg:npm/%40hono/node-server

Affected ranges

Type
SEMVER
Events
Introduced
1.3.0
Fixed
1.4.1