### Summary
Missing check vulnerability in the static file handler allows any client to access the files in the server’s file system
### Details
When `staticFiles` is set in the `serve` settings in the configuration file, the following handler doesn’t check if `absolutePath` is still under the directory provided as `staticFiles`;
“`ts
if (staticFiles) {
router.get(‘/:relativePath+’, async request => {
let { relativePath } = request.params;
if (!relativePath) {
relativePath = ‘index.html’;
}
const absolutePath = path.join(baseDir, staticFiles, relativePath);
if (absolutePath.includes(staticFiles) && (await pathExists(absolutePath))) {
const readStream = fs.createReadStream(absolutePath);
return new Response(readStream as any, {
status: 200,
});
}
return undefined;
});
“`
### Example scenario
To reproduce it, set `staticFiles` to the relative path of a directory in `.meshrc.yml`;
“`yml
serve:
staticFiles: ./public
“`
Then start the server with `mesh dev`, and browse to `/..%2fpackage.json` then you will see the content of `package.json`. You can even go deeper to see sensitive data; `/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd`
### Impact and solution
If `staticFiles` is set under `serve` in the configuration file. you have two options to fix vulnerability;
– Update `@graphql-mesh/cli` to a version higher than `0.82.21`, and if you use `@graphql-mesh/http`, update it to a version higher than `0.3.18`
– Remove `staticFiles` option from the configuration, and use other solutions to serve static files.
### Credits
Thanks [alanwillms@gmail.com](mailto:alanwillms@gmail.com) for reporting this vulnerability with detailsRead More