By pass security check: do not allow ../ in path

In January, Hexo fixed an arbitrary file read vulnerability:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
if (!match) return;

 const path = match[2];

 // security check: do not allow ../ in path
 if (path.includes('../')) return;

 lang = lang || extname(path).substring(1);

 const src = join(ctx.source_dir, codeDir, path);

 const title = match[1] || basename(path);
 const caption = `<span>${title}</span><a href="${posix.join(ctx.config.root, codeDir, path)}">view raw</a>`;

 return exists(src).then(exist => {
   if (exist) return readFile(src);

After a brief thought, I found that this safety check is incomplete,that is to say, I can bypass here

In windows, I can use ..\ bypass:

1
{% include_code ..\..\..\..\..\..\..\..\..\..\..\test.txt %}

image

The Linux file system does not support reading backslashes, theoretically it can be read through ..\/..\/..\/..\/..\/etc/passwd,but I did not verify successfully on Linux. This operation was only verified successfully in the Windows environment.

So my suggestion is not only to do not allow ../ in path, also to do not allow ..\ in path, or change ../ to .. and file protocol.

The issue is currently being resolved: https://github.com/hexojs/hexo/pull/5251

代码审计
代码审计

声明:
本文章用于学习交流,严禁用于非法操作,出现后果一切自行承担,阅读此文章表示你已同意本声明。

Disclaimer:
This article is for study and communication. It is strictly forbidden to use it for illegal operations. All consequences shall be borne by yourself. Reading this article means that you have agreed to this statement.