Off-by-slash vulnerability in nodejs.org and iojs.org

**Summary:** Configuration files for Nginx in nodejs/build repository have multiple off-by-slash misconfigurations. Because nodejs.org and iojs.org are deployed using those files, it is possible for an attacker to gain access to unexpected directories. (**This report is not related to nodejs/node.** Therefore, I understand that this report is not eligible to Bounty.) **Description:** The following files have multiple off-by-slash misconfigurations. - https://github.com/nodejs/build/blob/main/ansible/www-standalone/resources/config/nodejs.org - https://github.com/nodejs/build/blob/main/ansible/www-standalone/resources/config/iojs.org For example, the following `/metrics` endpoint has no trailing slash, while the alias parameter has a trailing slash. ``` location /metrics { alias /home/dist/metrics/; autoindex on; default_type text/plain; } ``` The setting as above is commonly known as an off-by-slash misconfiguration. In this case, an attacker can access files in `/home/dist` directory via `/metrics../` endpoint. ## Steps To Reproduce: For example, you can browse the contents of `/home/dist/.bashrc` by accessing `https://nodejs.org/metrics../.bashrc`. ## Impact: If sensitive files exist in the dist user's home directory, it is possible for an attacker to view their contents. ## Supporting Material/References: * https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf ## Impact An attacker can access files in the `/home/dist` directory of the nodejs.org and iojs.org servers.