Security Issue (#62)

masasron · web-flow · commit 22ca5375dc92 · 2020-03-29T10:45:58.000-07:00
It is currently possible to overwrite the `repoDir` by sending a repository name that starts with a "/", the `path.resolve` method prioritizes the second argument see the example below.

path.resolve("/my/repo/folder","/etc"); // /etc

This behavior gives an attacker the ability to create/write/pull repositories from an arbitrary absolute path, this issue could also impact authentication in some cases as it corrupts the repository name.
diff --git a/lib/git.js b/lib/git.js
@@ -143,7 +143,7 @@ class Git extends EventEmitter {
         this.dirMap = repoDir;
     } else {
         this.dirMap = (dir) => {
-            return (path.normalize(dir ? path.resolve(repoDir, dir) : repoDir));
+            return (path.normalize(dir ? path.join(repoDir, dir) : repoDir));
         };
     }
 

Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,7 @@ class Git extends EventEmitter {`
`143`	`143`	`this.dirMap = repoDir;`
`144`	`144`	`} else {`
`145`	`145`	`this.dirMap = (dir) => {`
`146`		`- return (path.normalize(dir ? path.resolve(repoDir, dir) : repoDir));`
	`146`	`+ return (path.normalize(dir ? path.join(repoDir, dir) : repoDir));`
`147`	`147`	`};`
`148`	`148`	`}`
`149`	`149`