linux implementation can read arbitrary files #27

mlc · 2019-08-20T16:24:00Z

execFile("cat", ["/sys/class/net/" + iface + "/address"], function (err, out) {

By prepending ../../.. to the "interface" name, this line of code can be asked read a file from anywhere on the filesystem as long as that file is named address.

It is also a little bit strange to run cat to read a file rather than just using the node fs module, but patching only that will not solve the security problem.

The text was updated successfully, but these errors were encountered:

scravy · 2020-04-21T13:18:26Z

There used to be a very old and ancient version of node which for whatever reason did not read the contents of textfiles in /sys properly, which is why cat was used.

The name of the interface could well be sanitized.

Do you mind opening a pull request?

scravy · 2020-05-04T13:29:24Z

Has been fixed and released in v0.4.3

mlc · 2020-05-04T14:35:09Z

thanks, @scravy!

scravy added the confirmed label Apr 21, 2020

scravy added this to the 0.5.0 milestone Apr 21, 2020

scravy closed this as completed in ca9e24d May 4, 2020

scravy added a commit that referenced this issue May 4, 2020

fix #22, fix #27

0f329b4

scravy added the fixed label May 18, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

linux implementation can read arbitrary files #27

linux implementation can read arbitrary files #27

mlc commented Aug 20, 2019

scravy commented Apr 21, 2020

scravy commented May 4, 2020

mlc commented May 4, 2020

linux implementation can read arbitrary files #27

linux implementation can read arbitrary files #27

Comments

mlc commented Aug 20, 2019

scravy commented Apr 21, 2020

scravy commented May 4, 2020

mlc commented May 4, 2020