Redirect to external website

[pierre-elie]

Stumbled upon a weird behavior where serve-static would redirect to an external website when "asked nicely".

Reproduction Steps

Using express 4.10.6 and static-serve 1.7.1 on node 0.10.33.

1. Simple app.js

var app = require('express')();
app.use(require('serve-static')('assets'));
app.listen(80);

2. Start server

$ sudo node app.js

3. Open in Firefox http://localhost//www.google.com/%2e%2e

Request

GET //www.google.com/%2e%2e HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive

Response

HTTP/1.1 303 See Other
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Location: //www.google.com/%2e%2e/
Date: Sat, 03 Jan 2015 01:13:49 GMT
Connection: keep-alive
Transfer-Encoding: chunked

Redirecting to <a href="//www.google.com/%2e%2e/">//www.google.com/%2e%2e/</a>

4. You get redirected to Google...

---

It works in Firefox, Safari and probably IE, not in Chrome.
Setting static-serve’s option redirect: false seems to fix it (but redirect: true is the default).

It looks like many applications could be affected.
A quick test on apps listed on http://expressjs.com/resources/applications.html does not disappoint:

• https://myspace.com//www.google.com/%2e%2e
• https://www.learnboost.com//www.google.com/%2e%2e
• https://geekli.st//www.google.com/%2e%2e
• etc

send emits directory in that case, which triggers the redirection.

[dougwilson]

Great, I'll fix this as soon as I get home. The caveat is that you need to mount this middleware at the root.

[dougwilson]

Hi @pierre-elie ! If you have the time and are willing, I would love it if you could verify the fix that is currently on master.

[dougwilson]

I went ahead and published it as 1.7.2, but I would still love to hear your assessment on the change as well :)

[pierre-elie]

Hey, thanks a lot for the fast change!
It definitely fixes it, though I was wondering if there would be an advantage to use path.normalize()
(in this specific case it would "convert" //www.google.com/../ to /)

[dougwilson]

The reason I didn't use path.normalize is a couple reasons: 1) that's not a file system path, so it wouldn't even work right when run on Windows (path.normalize would change all the slashes to backslashes on Windows) and 2) consider that this module was mounted at /some/path and a user requested /some/path/.., we would redirect the user outside of this module's control, which would probably lead to some other kind of unexpected behavior.

[dougwilson]

P.S., if you haven't done so already, please feel free to report this to https://nodesecurity.io/ , where the affected versions are all < 1.7.2 and fixed is 1.7.2.

[pierre-elie]

Right. Looks good to me then! Thanks again :)

[dougwilson]

And thank you soo much for bringing this to me attention :)! Go community!

[pierre-elie]

Reported by a researcher from https://bugcrowd.com/

[dougwilson]

Hey guys, this exact bug has existed in Python's SimpleHTTPServer since 2006. Feel free to attack them for it :)