Path Traversal in pokeapi/pokeapi
Sep 9th 2021
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).
NGINX is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The NGINX alias directive defines a replacement for the specified location.
The incorrect configuration of the alias could allow an attacker to read file stored outside the target folder.
In particular, the locations
/graphql/console is configured to have aliases
/public-console/, which the location doesn't ends with directory separator (
/) in nginx configuration file
Find all NGINX alias directives and make sure that the parent prefixed location ends with directory separator.
The vulnerability wasn't disclosed directly with any member of PokeAPI.
For disclosure, read more here: https://github.com/PokeAPI/pokeapi/security/advisories/GHSA-24vh-6cjj-7jxc
Next time, contact one fo the main contributors about it.