From 17da8ee8fa6456b29f9b66442cd7322aa75de709 Mon Sep 17 00:00:00 2001 From: Rob Wu Date: Sat, 23 Nov 2024 21:32:24 +0100 Subject: [PATCH] Fix path traversal issue in createTemporaryNodeServer The test-only createTemporaryNodeServer helper featured a path traversal vulnerability. This enables attackers with network access to the device to read arbitrary files while unit tests are running that activate this test server. This patch fixes the issue by validation of paths. To test this vulnerability before the patch: 1. Run the test-only server: ``` node -e 'console.log(require("./test/unit/test_utils.js").createTemporaryNodeServer().port) ``` 2. From another terminal, send the following request (modify the port to the port reported in the previous step): ``` curl --path-as-is http://localhost:45755/../../package.json ``` Before the patch, the second step would traverse the directory, and return results from the root of the PDF.js repository, instead of files within test/pdfs/. With the patch, the server refuses the request with HTTP status 400. --- test/unit/test_utils.js | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/test/unit/test_utils.js b/test/unit/test_utils.js index 5ca113989..db2fdc2fd 100644 --- a/test/unit/test_utils.js +++ b/test/unit/test_utils.js @@ -127,9 +127,23 @@ function createTemporaryNodeServer() { const fs = process.getBuiltinModule("fs"), http = process.getBuiltinModule("http"); + function isAcceptablePath(requestUrl) { + try { + // Reject unnormalized paths, to protect against path traversal attacks. + const url = new URL(requestUrl, "https://localhost/"); + return url.pathname === requestUrl; + } catch { + return false; + } + } // Create http server to serve pdf data for tests. const server = http .createServer((request, response) => { + if (!isAcceptablePath(request.url)) { + response.writeHead(400); + response.end("Invalid path"); + return; + } const filePath = process.cwd() + "/test/pdfs" + request.url; fs.promises.lstat(filePath).then( stat => {