-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Path Traversal Attacks #1226
Comments
I'm guessing this is about the unsafe usage of one of the ServeFile functions? They allow anything as they use Or was this about another issue? |
I wrote an example for demonstration https://github.com/egovorukhin/pathTraversalAttacks, using fiber(https://github.com/gofiber/fiber). Checking for the correctness of the path in the function fasthttp->uri.go->normalizePath(dst, src []byte) []byte. |
I'm not seeing any issues with your example repo:
Are you maybe on a Windows machine? Does running these commands result in something different for you? |
Yes, app run on a Windows Cluster. Could you add a fix for such cases?! Please. |
Now that you have shown that it's also not secure on Windows I'm wondering if I should prevent the use of |
I added the code to the normalizePath function and it solved my problem file strings.go var (
...
strSlashDotDotBackSlash = []byte(`/..\`)
strBackSlashDotDotBackSlash = []byte(`\..\`)
...
) file uri.go func normalizePath(dst, src []byte) []byte {
...
// remove /foo/..\ parts
for {
n := bytes.Index(b, strSlashDotDotBackSlash)
if n < 0 {
break
}
nn := bytes.LastIndexByte(b[:n], '/')
if nn < 0 {
nn = 0
}
n += len(strSlashDotDotBackSlash) - 1
copy(b[nn:], b[n:])
b = b[:len(b)-n+nn]
}
// remove /foo\..\ parts
for {
n := bytes.Index(b, strBackSlashDotDotBackSlash)
if n < 0 {
break
}
nn := bytes.LastIndexByte(b[:n], '/')
if nn < 0 {
nn = 0
}
n += len(strBackSlashDotDotBackSlash) - 1
copy(b[nn:], b[n:])
b = b[:len(b)-n+nn]
}
...
} |
Hello, I found another bug security on windows. example - SOLUTION file strings.go var (
...
strBackSlashDotDotSlash = []byte(`\../`)
...
) file uri.go func normalizePath(dst, src []byte) []byte {
...
if filepath.Separator == '\\' {
...
// remove /foo\../ parts
for {
n := bytes.Index(b, strBackSlashDotDotSlash)
if n < 0 {
break
}
nn := bytes.LastIndexByte(b[:n], '/')
if nn < 0 {
nn = 0
}
n += len(strBackSlashDotDotSlash) - 1
copy(b[nn:], b[n:])
b = b[:len(b)-n+nn]
}
...
} |
Hello, I found a problem when requesting - path traversal attacks (https://localhost/..%5clogs/app.log). If you specify a backslash (%5c) character in the path, then you can follow the path /../ and get data from the root. It may be worth adding a check for part of the path - /... strSlashDotDotBackSlash = []byte("/.."). At your discretion. Thanks.
The text was updated successfully, but these errors were encountered: