Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v3: Improve path validation in Static Middleware #3105

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
+205 −2
Open

v3: Improve path validation in Static Middleware #3105

Changes from 6 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
35671a9
Update static.go
ashermyers Aug 20, 2024
63afcdf
Update static.go
ashermyers Aug 20, 2024
65948c0
Merge branch 'main' into main
gaby Aug 23, 2024
12b8bf0
Merge branch 'main' into main
gaby Sep 8, 2024
14cbaa0
Merge branch 'main' into main
gaby Nov 6, 2024
abdff10
Merge branch 'main' into main
gaby Dec 9, 2024
cc6ed88
Add more checks. Add extensive testing of traversal paths
gaby Dec 9, 2024
d8e225c
Add separate test for windows
gaby Dec 10, 2024
42e4a1a
Do not prefix with /
gaby Dec 10, 2024
c65df17
Skip linux test if running Windows
gaby Dec 10, 2024
8b85d19
Merge branch 'main' into main
gaby Dec 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions middleware/static/static.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,19 @@ func New(root string, cfg ...Config) fiber.Handler {
path = append([]byte("/"), path...)
}

// Perform explicit path validation
absRoot, err := filepath.Abs(root)
if err != nil {
fctx.Response.SetStatusCode(fiber.StatusInternalServerError)
return nil
}
Comment on lines +107 to +111
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Add test case for filepath.Abs error handling

The error handling for filepath.Abs(root) is not covered by any existing tests. A test case should be added that verifies the middleware returns a 500 Internal Server Error when filepath.Abs fails. This can be achieved by using an invalid root path that triggers the error condition.

Example test case to add:

func Test_Static_AbsError(t *testing.T) {
    app := fiber.New()
    app.Get("/*", New("\x00invalid")) // null byte in path triggers Abs error

    req := httptest.NewRequest(fiber.MethodGet, "/", nil)
    resp, err := app.Test(req)
    require.NoError(t, err)
    require.Equal(t, fiber.StatusInternalServerError, resp.StatusCode)
}
🔗 Analysis chain

Add test coverage for root resolution error

The error handling for filepath.Abs(root) is correct, but lacks test coverage.

Let's verify the test coverage:

Would you like me to help create a test case that verifies this error path? We could use an invalid root path to trigger this scenario.

Let me verify if there are any existing tests for error cases in the static middleware by checking the test file more thoroughly.

After reviewing the test file, I can see that there are comprehensive tests for various scenarios, but none specifically testing the filepath.Abs error path. Let me check if there are any other relevant tests in the codebase.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if there are any tests that verify the root resolution error
rg -l "StatusInternalServerError.*filepath\.Abs" middleware/static/static_test.go || echo "No tests found for root resolution error"

Length of output: 174

Script:

#!/bin/bash
# Check the content of static_test.go to see existing test patterns
cat middleware/static/static_test.go

Length of output: 35332

Script:

#!/bin/bash
# Search for any tests related to filepath.Abs error handling
rg -l "filepath\.Abs.*error" middleware/static/

Length of output: 49

🧰 Tools
🪛 GitHub Check: codecov/patch

[warning] 109-111: middleware/static/static.go#L109-L111
Added lines #L109 - L111 were not covered by tests


absPath, err := filepath.Abs(filepath.Join(absRoot, string(path)))
if err != nil || !strings.HasPrefix(absPath, absRoot) {
fctx.Response.SetStatusCode(fiber.StatusForbidden)
return nil
}
gaby marked this conversation as resolved.
Show resolved Hide resolved

return path
}

Expand Down