Описание
Path traversal in oak allows transfer of hidden files within the served root directory
Summary
By default oak does not allow transferring of hidden files with Context.send API. However, this can be bypassed by
encoding / as its URL encoded form %2F.
Details
1.) Oak uses decodeComponent which seems to be unexpected. This is also the reason why it is not possible to access a file that contains URL encoded characters unless the client URL encodes it first.
2.) The function isHidden is flawed since it only checks if the first subpath is hidden, allowing secrets to be read from subdir/.env.
PoC
In terminal:
Impact
For an attacker this has potential to read sensitive user data or to gain access to server secrets.
Ссылки
- https://github.com/oakserver/oak/security/advisories/GHSA-qm92-93fv-vh7m
- https://nvd.nist.gov/vuln/detail/CVE-2024-49770
- https://github.com/oakserver/oak/commit/4b2f27efd5cba5a45b2c3982e610da3af0869209
- https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125
- https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25
Пакеты
@oakserver/oak
<= 14.1.0
Отсутствует
Связанные уязвимости
`oak` is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default `oak` does not allow transferring of hidden files with `Context.send` API. However, prior to version 17.1.3, this can be bypassed by encoding `/` as its URL encoded form `%2F`. For an attacker this has potential to read sensitive user data or to gain access to server secrets. Version 17.1.3 fixes the issue.