Tags: web nodejs secure-coding 

Rating:

## maze (Secure Coding/Config, 100pt)

> I created this really cool CTF challenge where users are supposed to bypass client side authentication to get a flag. However it seems like people are able get the flag through other means!
> Can you find and fix the problem in my challenge for me?
>
> [](https://gitlab.ctf.tamu.edu/root/maze)

You can find the unpatched source code in the [maze](maze/) folder.

#### Vulnerability

Path traversal through unsanitized `request.url`.

#### Patch

Use [`path.normalize`](https://millermedeiros.github.io/mdoc/examples/node_api/doc/path.html#path.normalize) to properly sanitize `request.url`.

```diff
diff --git a/server/server.js b/server/server.js
index 8798017..54356a0 100755
--- a/server/server.js
+++ b/server/server.js
@@ -29,7 +29,7 @@ app.get('/exit', function(request, response) {
app.get('/*', function(request, response){
console.log('request starting...');

- var filePath = __dirname + '/..' +request.url;
+ var filePath = __dirname + '/..' +path.normalize(request.url);
if (filePath == __dirname)
filePath = __dirname + '/../public/index.html';
var extname = path.extname(filePath);
```

#### Flag

![](flag.png)

Original writeup (https://github.com/rkmylo/ctf-write-ups/tree/master/2018-tamuctf/secure-coding-config/maze-100).