Comments (9)
hubcarl
commented on May 19, 2024
这个命令是用于本地开发使用的,需要使用者自己指定目录,目录可以任意指定
from easywebpack-cli.
muxishuihan
commented on May 19, 2024
你好,这个命令的主要问题并不是”目录可以任意指定”,而是指定目录后,可以跨目录访问到其他目录下的文件。比如,我执行了easy server -d mock -p 8009,-d /Users/kwai/Desktop/test,一个合理的实现是,我通过http请求只应该能够访问到/Users/kwai/Desktop/test目录下的文件及子目录。但我通过http://xxxxx/../../../../../../etc/passwd,却能够跨目录访问到/etc/passwd文件,这个漏洞的威胁是如果开放的server能够被其他机器访问(如局域网或互联网上的其他机器),访问者可以读取本机中的任意文件。当然我只是指出存在的问题,是否进行处理由您把握哈~
from easywebpack-cli.
hubcarl
commented on May 19, 2024
@muxishuihan 明白了,这个我处理一下,有兴趣也可以提个 PR 修复
from easywebpack-cli.
hubcarl
commented on May 19, 2024
@muxishuihan 我试了一下, 用 easy server -d test -p 8009 后, 然后访问 http://192.168.1.7:8009/../../easyjs-old/db 并不能访问上层目录内容, 最终获取的 filename 和 filepath 如下:
>>>filepath /easyjs-old/db /Users/sky/dev/easyteam/easywebpack-cli/test/easyjs-old/db
用 chrome, curl, postman 访问,最终获取文件内容的路径都是上面内容。
看看能够给个完整例子我试试
from easywebpack-cli.
muxishuihan
commented on May 19, 2024
@hubcarl 嗨~ 请问您有类似postman或者burpsuite的发包器嘛?浏览器或者curl应该是会自动将http://XXX/../../../../转成http://XXX/,这样就达不到跳转目录的目的啦。我自己使用curl和浏览器测试的结果也和您相同。
ok ,我给您录个像吧
from easywebpack-cli.
muxishuihan
commented on May 19, 2024
你好,我已经发送到了您在github登记的个人邮箱 [email protected] 。我个人不是很清楚为什么您使用postman也无法复现该问题。
from easywebpack-cli.
hubcarl
commented on May 19, 2024
你好,我已经发送到了您在github登记的个人邮箱 [email protected] 。我个人不是很清楚为什么您使用postman也无法复现该问题。
好的,我查看一下
from easywebpack-cli.
hubcarl
commented on May 19, 2024
@muxishuihan 可以帮忙调试一下,直接修改 node_modules 加一下日志,然后启动项目看看:
目前看可能出现问题是这两个地方:
- node_modules/node-tool-utils/lib/tool.js#L106, 获取 pathname 带有 /../ 这种,需要替换处理掉
- node_modules/node-http-server/server/Server.js#767
from easywebpack-cli.
muxishuihan
commented on May 19, 2024
@hubcarl 抱歉,这个我可能没法帮上忙。。因为我对node_modules完全不了解。。
from easywebpack-cli.
Related Issues (20)
- 作为脚手架是不是多余的东西太多了? HOT 1
- less 模板初始化Demo同步修改 HOT 1
- easy build prod 运行失败不报错 HOT 1
- npm run build出错 HOT 1
- easywebpack init 到选择第二步就停止了,项目目录文件也都不存在,也不报错直接退出了 HOT 7
- NVM Node v12.0.0安装失败,NPM/CNPM都试过。。。错误如下: HOT 1
- 真难用呀,init这一步,我就放弃了 HOT 1
- The easy init command is not available HOT 2
- 报错 HOT 1
- npm run build error HOT 1
- cnpm run build uglifyJs bug HOT 2
- 运行easywebpack dll报错 HOT 1
- easywebpack-cli 在 node15 版本下安装错误
- [email protected]版本下mini-css-extract-plugin使用报错 HOT 1
- 脚手架搭建的egg+多页面vue ssr,prod模式访问不了 HOT 1
- 不能正常运行 HOT 2
- easy build dev 没有watch参数 HOT 1
- easy zip --deps --nodejs 出错 HOT 1
- 新版本的easywebpack-cli在easy clean all的时候报错 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from easywebpack-cli.