GraphQL Mesh Static File Handler Vulnerability Allowing Unrestricted File System Access

A vulnerability in the static file handler of GraphQL Mesh versions 0.78.0 prior to 0.82.22 and in the @graphql-mesh/http package prior to 0.3.19 allows clients to access arbitrary files on the server's file system. This issue arises when the 'staticFiles' option is enabled in the 'serve' settings of the configuration file. The handler fails to verify whether the requested file path remains within the designated static files directory, potentially exposing sensitive files such as 'package.json' or entries from the '/etc' directory.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the server's file system, allowing clients to read sensitive files.

Reproduction

To reproduce this vulnerability, set the 'staticFiles' option in the '.meshrc.yml' configuration file to point to a directory, such as './public'. After starting the server with 'mesh dev', navigate to a path that includes directory traversal sequences, such as '/..%2fpackage.json'. The contents of the 'package.json' file will be displayed. This vulnerability can be further exploited by accessing deeper directory levels to retrieve sensitive data, such as the '/etc/passwd' file.

Remediation

Users can update '@graphql-mesh/cli' to version 0.82.22 or later, and '@graphql-mesh/http' to version 0.3.19 or later. Alternatively, the 'staticFiles' option can be removed from the configuration and other methods can be used to serve static files.