Skip to content

Prevent DoS attack#213

Closed
Zarel wants to merge 1 commit into
cloudhead:masterfrom
Zarel:patch-1
Closed

Prevent DoS attack#213
Zarel wants to merge 1 commit into
cloudhead:masterfrom
Zarel:patch-1

Conversation

@Zarel

@Zarel Zarel commented Jan 11, 2019
edited
Loading

Copy link
Copy Markdown

A pathname containing U+0000 NULL will crash fs.stat with the error message "TypeError [ERR_INVALID_ARG_VALUE]: The argument 'path' must be a string or Uint8Array without null bytes."

This commit prevents node-static from crashing.

@Zarel
Prevent DoS attack
b6ae31c 
A pathname containing `\u0000 NULL` will crash `fs.stat` with the error message "TypeError [ERR_INVALID_ARG_VALUE]: The argument 'path' must be a string or Uint8Array without null bytes."

This commit prevents node-static from crashing.
@tchakabam

tchakabam commented Jan 14, 2019

Copy link
Copy Markdown
Contributor

shouldn't this be related to / fixed in the specific Node runtime in use?

tchakabam
tchakabam reviewed Jan 14, 2019
View reviewed changes
Comment thread lib/node-static.js
if (pathname.indexOf(that.root) === 0) {
// file outside of the root or an invalid
// pathname.
if (pathname.indexOf(that.root) === 0 && pathname.indexOf('\u0000') === -1) {

@tchakabam tchakabam Jan 14, 2019

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you would do this like this, it should be somehow at least logging that this type of path has been ignored i think.

is there some documentation on this vulnerability and have there been other fixes to this exploit in other open-source codebases?

@Zarel Zarel Jan 14, 2019

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't log paths like ../ either; I just modeled my code after the existing code.

I'm not aware of documentation of this problem. I became aware of it because someone attacked my server with it.

@Zarel

Zarel commented Jan 14, 2019

Copy link
Copy Markdown
Author

It looks like this is new in Node.js v10:

https://alexatnet.com/node-js-10-important-changes/#fs-2

In previous Node versions, it would be passed as an error to the fs.stat callback, so it would respond with a 404:

        fs.stat(pathname, function (e, stat) {
            if (e) {
                finish(404, {});

But in Node 10 and later, fs.stat instead synchronously throws an error.

@Zarel

Zarel commented Jan 14, 2019

Copy link
Copy Markdown
Author

nodejs/node#18308

is the change in Node.js that led to this regression.

@lovasoa

lovasoa commented Mar 21, 2020

Copy link
Copy Markdown

This is a serious security issue. What is the state of this PR ?

frankdean added a commit to frankdean/node-static that referenced this pull request Jul 17, 2020
@frankdean
Add test to demonstrate Denial of Service issue
64151eb 
- https://www.npmjs.com/advisories/1208
- cloudhead#213
@kashif-m

kashif-m commented Feb 18, 2021

Copy link
Copy Markdown

Why is this still not closed? 🤔

@brpvieira brpvieira mentioned this pull request Mar 1, 2021
Merged
This was referenced Mar 29, 2021
Closed
Closed
@brettz9

brettz9 commented May 21, 2021

Copy link
Copy Markdown
Collaborator

Closing as #227 avoids need for this PR.

@brettz9 brettz9 closed this May 21, 2021
@shelbyc shelbyc mentioned this pull request Oct 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@tchakabam tchakabam tchakabam left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Zarel @tchakabam @lovasoa @kashif-m @brettz9