Fix path traversal issue on static files #157
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Before this commit, it is possible to do path traversals with static files. In `StaticUtil` (`StaticEndpoints.scala`), the `ctx.remainingPathSegments` is not properly sanitized and is priorly decoded in `Main.scala`. Therefore, if a static endpoint has a remaining path segment having `/` (e.g. if a client sends a `static/..%2F/hi.txt`), `filter` will fail to filter and the path `static/../hi.txt` will be returned, which should be prohibited.
Member
| The issue looks valid but the fix looks subtle and non-obvious. Could you add a unit test in |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
I discovered that there is a path traversal vulnerability with static files. Here is a repository that showcases the issue.
In
StaticUtil(StaticEndpoints.scala), thectx.remainingPathSegmentsis not properly sanitized and is priorly decoded inMain.scala. Therefore, if a static endpoint has a remaining path segment having/(e.g. if a client sends astatic/..%2F/hi.txt),filterwill fail to filter the..and the pathstatic/../hi.txtwill be returned to get returned to the client, which should be prohibited.