Fix path traversal issue in createTemporaryNodeServer

The test-only createTemporaryNodeServer helper featured a path traversal vulnerability. This enables attackers with network access to the device to read arbitrary files while unit tests are running that activate this test server. This patch fixes the issue by validation of paths. To test this vulnerability before the patch: 1. Run the test-only server: ``` node -e 'console.log(require("./test/unit/test_utils.js").createTemporaryNodeServer().port) ``` 2. From another terminal, send the following request (modify the port to the port reported in the previous step): ``` curl --path-as-is http://localhost:45755/../../package.json ``` Before the patch, the second step would traverse the directory, and return results from the root of the PDF.js repository, instead of files within test/pdfs/. With the patch, the server refuses the request with HTTP status 400.
mozilla · Nov 23, 2024 · 17da8ee · 17da8ee
1 parent 07765e9
commit 17da8ee
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/test/unit/test_utils.js b/test/unit/test_utils.js
@@ -127,9 +127,23 @@ function createTemporaryNodeServer() {
 
   const fs = process.getBuiltinModule("fs"),
     http = process.getBuiltinModule("http");
+  function isAcceptablePath(requestUrl) {
+    try {
+      // Reject unnormalized paths, to protect against path traversal attacks.
+      const url = new URL(requestUrl, "https://localhost/");
+      return url.pathname === requestUrl;
+    } catch {
+      return false;
+    }
+  }
   // Create http server to serve pdf data for tests.
   const server = http
     .createServer((request, response) => {
+      if (!isAcceptablePath(request.url)) {
+        response.writeHead(400);
+        response.end("Invalid path");
+        return;
+      }
       const filePath = process.cwd() + "/test/pdfs" + request.url;
       fs.promises.lstat(filePath).then(
         stat => {