Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qMndoLXdydjMtNHg0Z84AAxq7

Unwanted access to the entire file system vulnerability due to a missing check in `staticFiles` HTTP handler

Summary

Missing check vulnerability in the static file handler allows any client to access the files in the server's file system

Details

When staticFiles is set in the serve settings in the configuration file, the following handler doesn't check if absolutePath is still under the directory provided as staticFiles;

  if (staticFiles) {
    router.get('/:relativePath+', async request => {
      let { relativePath } = request.params;
      if (!relativePath) {
        relativePath = 'index.html';
      }
      const absolutePath = path.join(baseDir, staticFiles, relativePath);
      if (absolutePath.includes(staticFiles) && (await pathExists(absolutePath))) {
        const readStream = fs.createReadStream(absolutePath);
        return new Response(readStream as any, {
          status: 200,
        });
      }
      return undefined;
    });

Example scenario

To reproduce it, set staticFiles to the relative path of a directory in .meshrc.yml;

serve:
   staticFiles: ./public

Then start the server with mesh dev, and browse to /..%2fpackage.json then you will see the content of package.json. You can even go deeper to see sensitive data; /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

Impact and solution

If staticFiles is set under serve in the configuration file. you have two options to fix vulnerability;

Update @graphql-mesh/cli to a version higher than 0.82.21, and if you use @graphql-mesh/http, update it to a version higher than 0.3.18
Remove staticFiles option from the configuration, and use other solutions to serve static files.

Credits

Thanks [email protected] for reporting this vulnerability with details

Permalink: https://github.com/advisories/GHSA-j2wh-wrv3-4x4g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qMndoLXdydjMtNHg0Z84AAxq7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago

CVSS Score: 5.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

Identifiers: GHSA-j2wh-wrv3-4x4g
References:

Repository: https://github.com/Urigo/graphql-mesh
Blast Radius: 15.7

Affected Packages

npm:@graphql-mesh/http

Dependent packages: 16
Dependent repositories: 78
Downloads: 144,844 last month
Affected Version Ranges: < 0.3.19
Fixed in: 0.3.19
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.20, 0.1.21, 0.1.22, 0.1.23, 0.1.24, 0.1.25, 0.1.26, 0.1.27, 0.1.28, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.2.17, 0.2.18, 0.2.19, 0.2.20, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.3.12, 0.3.13, 0.3.14, 0.3.16, 0.3.17, 0.3.18
All unaffected versions: 0.3.19, 0.3.20, 0.3.21, 0.3.23, 0.3.24, 0.3.25, 0.3.26, 0.3.27, 0.3.28, 0.3.29, 0.93.1, 0.93.2, 0.94.0, 0.94.1, 0.94.2, 0.94.3, 0.94.4, 0.94.5, 0.95.0, 0.95.1, 0.95.2, 0.95.3, 0.95.4, 0.96.0, 0.96.1, 0.96.2, 0.96.3, 0.96.4, 0.96.5, 0.96.6, 0.96.7, 0.96.8, 0.96.9, 0.96.10, 0.96.11, 0.96.12, 0.96.13, 0.96.14, 0.97.0, 0.97.1, 0.97.2, 0.97.3, 0.97.4, 0.97.5, 0.97.6, 0.97.7, 0.98.0, 0.98.1, 0.98.2, 0.98.3, 0.98.4, 0.98.5, 0.98.6, 0.98.7, 0.98.8, 1.0.0

npm:@graphql-mesh/cli

Dependent packages: 27
Dependent repositories: 519
Downloads: 124,170 last month
Affected Version Ranges: >= 0.78.0, < 0.82.22
Fixed in: 0.82.22
All affected versions: 0.78.0, 0.78.1, 0.78.2, 0.78.3, 0.78.4, 0.78.5, 0.78.6, 0.78.7, 0.78.8, 0.78.9, 0.78.10, 0.78.11, 0.78.12, 0.78.13, 0.78.14, 0.78.15, 0.78.16, 0.78.17, 0.78.18, 0.78.19, 0.78.20, 0.78.21, 0.78.22, 0.78.23, 0.78.24, 0.78.25, 0.78.26, 0.78.27, 0.78.28, 0.78.29, 0.78.30, 0.78.31, 0.78.32, 0.78.33, 0.78.34, 0.78.35, 0.78.36, 0.78.37, 0.78.38, 0.78.39, 0.78.40, 0.78.41, 0.79.0, 0.79.1, 0.79.2, 0.79.3, 0.79.4, 0.79.5, 0.79.6, 0.79.7, 0.80.0, 0.80.1, 0.80.2, 0.80.3, 0.80.4, 0.81.0, 0.82.0, 0.82.1, 0.82.2, 0.82.3, 0.82.4, 0.82.5, 0.82.6, 0.82.7, 0.82.8, 0.82.9, 0.82.10, 0.82.11, 0.82.12, 0.82.13, 0.82.14, 0.82.15, 0.82.16, 0.82.17, 0.82.19, 0.82.20, 0.82.21
All unaffected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 0.0.17, 0.0.18, 0.0.19, 0.0.20, 0.0.21, 0.0.22, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.2.17, 0.2.18, 0.2.19, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.11.9, 0.11.10, 0.11.11, 0.11.12, 0.11.13, 0.11.14, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.13.0, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.15.7, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.17.0, 0.17.1, 0.18.0, 0.19.0, 0.19.1, 0.19.2, 0.20.0, 0.20.1, 0.20.2, 0.21.0, 0.22.0, 0.22.1, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.23.4, 0.24.0, 0.24.1, 0.25.0, 0.25.1, 0.25.2, 0.25.3, 0.26.0, 0.26.1, 0.26.2, 0.27.0, 0.27.1, 0.27.2, 0.28.0, 0.29.0, 0.29.1, 0.29.2, 0.29.3, 0.29.4, 0.29.5, 0.29.6, 0.29.7, 0.29.8, 0.29.9, 0.29.10, 0.29.11, 0.29.12, 0.29.13, 0.29.14, 0.30.0, 0.30.1, 0.30.2, 0.31.0, 0.32.0, 0.32.1, 0.32.2, 0.32.3, 0.33.0, 0.33.1, 0.33.2, 0.33.3, 0.34.0, 0.34.1, 0.34.2, 0.34.3, 0.35.0, 0.35.1, 0.36.0, 0.37.0, 0.38.0, 0.38.1, 0.38.2, 0.38.3, 0.38.4, 0.39.0, 0.40.0, 0.40.1, 0.40.2, 0.41.0, 0.42.0, 0.42.1, 0.42.2, 0.42.3, 0.42.4, 0.42.5, 0.42.6, 0.43.0, 0.43.1, 0.43.2, 0.43.3, 0.43.4, 0.43.5, 0.43.6, 0.44.0, 0.44.1, 0.44.2, 0.44.3, 0.44.4, 0.44.5, 0.45.0, 0.46.0, 0.46.1, 0.47.0, 0.48.0, 0.48.1, 0.49.0, 0.50.0, 0.51.0, 0.51.1, 0.51.2, 0.52.0, 0.53.0, 0.53.1, 0.53.2, 0.54.0, 0.54.1, 0.54.2, 0.54.3, 0.54.4, 0.55.0, 0.55.1, 0.55.2, 0.56.0, 0.56.1, 0.56.2, 0.56.3, 0.57.0, 0.57.1, 0.58.0, 0.59.0, 0.59.1, 0.59.2, 0.59.3, 0.59.4, 0.59.5, 0.60.0, 0.60.2, 0.60.3, 0.61.0, 0.62.0, 0.62.1, 0.62.2, 0.63.0, 0.64.0, 0.64.1, 0.64.2, 0.65.0, 0.66.0, 0.66.1, 0.66.2, 0.67.0, 0.67.1, 0.67.2, 0.67.3, 0.67.4, 0.67.5, 0.67.6, 0.68.0, 0.68.1, 0.68.2, 0.68.3, 0.68.4, 0.69.0, 0.69.1, 0.69.2, 0.70.0, 0.70.1, 0.70.2, 0.70.3, 0.70.4, 0.71.0, 0.71.1, 0.71.2, 0.71.3, 0.71.4, 0.71.5, 0.72.0, 0.72.1, 0.73.0, 0.73.1, 0.73.2, 0.73.3, 0.73.4, 0.74.0, 0.74.1, 0.74.2, 0.75.0, 0.75.1, 0.75.2, 0.75.3, 0.75.4, 0.75.5, 0.75.6, 0.75.7, 0.75.8, 0.75.9, 0.75.10, 0.75.11, 0.75.12, 0.76.0, 0.76.1, 0.76.2, 0.77.0, 0.77.1, 0.77.2, 0.77.3, 0.82.22, 0.82.23, 0.82.24, 0.82.25, 0.82.27, 0.82.28, 0.82.29, 0.82.30, 0.82.31, 0.82.32, 0.82.33, 0.82.34, 0.82.35, 0.83.0, 0.83.1, 0.83.2, 0.83.3, 0.83.4, 0.83.5, 0.83.6, 0.84.0, 0.85.0, 0.85.1, 0.85.2, 0.85.3, 0.85.4, 0.85.5, 0.85.6, 0.86.0, 0.86.1, 0.86.2, 0.86.3, 0.87.0, 0.87.1, 0.87.2, 0.87.3, 0.87.4, 0.87.5, 0.87.6, 0.87.7, 0.87.8, 0.87.9, 0.87.10, 0.87.11, 0.87.12, 0.87.13, 0.87.14, 0.87.15, 0.87.16, 0.88.0, 0.88.1, 0.88.2, 0.88.3, 0.88.4, 0.88.5, 0.88.6, 0.88.7, 0.88.8, 0.88.9, 0.89.0, 0.89.1, 0.89.2, 0.89.3, 0.89.4, 0.89.5, 0.89.6, 0.89.7, 0.89.8