fix: services uncontrolled data used in path expression #11605
Conversation
|
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
|
|
Thanks for posting the PR. This is a know issue since: #11483 |
|
@mklos-kw Thank you for the feedback. I understand that the previous implementation failed the same tests. In this new pull request, I’ve taken a different direction by focusing on a more secure approach as suggested, aiming to address the issue in a more reliable way. Best regards, |
fix the problem, we should ensure that the resolved path is strictly contained within the intended root directory of the file server. This can be done by resolving the user-supplied path against the root, normalizing it, and then checking that the resulting absolute path is still within the root directory. In the context of Go's
http.FileSystem, this means we should check that the cleaned path does not escape the root of the embedded filesystem. Since we may not have access to the actual filesystem path (e.g., withembed.FS), we can instead reject any path that, after cleaning, contains any parent directory references (..) or is absolute. We should also ensure that the path is not empty and does not contain any path separators at the start (other than the leading slash).The best way to implement this is to add a check after cleaning the path, before opening the file, to ensure that the path is relative and does not contain any
..components. This can be done by splitting the path and checking its components. The changes should be made in theServeHTTPmethod inservices/web/pkg/assets/server.go, specifically after line 81 and before line 99.Types of changes
Checklist: