This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
[Discussion] Contrast reports path traversal vulnerability #486
Comments
|
Thanks for pointing. If you have any further details to share or even a POC, please send them by email before disclosing. |
|
So far I was not able to escape from the locales directory. Any provided locale (be it from accept-header, cookie, query parameter or code) has to match to one of configured locales, ie.: const i18n = new I18n({
locales: ['en', 'de'],
directory: './translations'
})The first locale will act as default for any "unknown" or manipulated locale. Thus, providing a locale like '../en' or '../de' or '../../' will result in using 'en' with reading/writing the file Even without explicit config, i18n uses 'en' as default locale and 'locales' as default directory. Example: const i18n = new I18n({})can only use I am about to add another test as prove for those cases. And I think there is still room for improving parameter sanitizing and filesystem operations in general. |
|
@mashpie the tests on my side followed the same logic as yours and I was not able to escape from the locales directory as well. I think it is safe to assume its a false positive. Thanks for the fast response, btw :D |
|
@francislz Thanks for your effort, I am glad to hear that. Let's keep this issue open for me to further improve sanitizing. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Contrast reports that the Accept-Language: en-us is vulnerable to Path Traversal since the value is used to access the en.json in the translations folder. According to contrast I might manipulate the this header in order to access the filesystem. I tested it out by manipulating the header but I seems that is a false positive. Just wanted to make sure by creating this discussion here.
The text was updated successfully, but these errors were encountered: