Skip to content

🧹 chore: Improve static middleware security #3595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ReneWerner87 merged 11 commits into from
Jul 20, 2025
Merged

🧹 chore: Improve static middleware security #3595

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
22ed1d0
Improve path sanitization and add traversal tests
gaby Jul 18, 2025
5d802f2
Merge branch 'main' into 2025-07-18-13-58-39
gaby Jul 18, 2025
9dd0bb1
Fix lint issues and constants
gaby Jul 19, 2025
22fa00b
Merge branch '2025-07-18-13-58-39' into 2025-07-19-15-07-55
gaby Jul 19, 2025
9fdd1a8
Merge pull request #3600 from gofiber/2025-07-19-15-07-55
gaby Jul 19, 2025
55b4750
Merge branch 'main' into 2025-07-18-13-58-39
gaby Jul 19, 2025
9c0941f
Use utils.TrimLeft
gaby Jul 19, 2025
3ae67e8
Fix call to trim
gaby Jul 20, 2025
ebb662a
Update static.go
gaby Jul 20, 2025
89ab84b
Update static.go
gaby Jul 20, 2025
eb4800d
Update static.go
gaby Jul 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 25 additions & 2 deletions client/client_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1588,6 +1588,29 @@
}

func Test_Client_SetProxyURL(t *testing.T) {
httpProxy := os.Getenv("HTTP_PROXY")
httpProxyLower := os.Getenv("http_proxy")
httpsProxy := os.Getenv("HTTPS_PROXY")
httpsProxyLower := os.Getenv("https_proxy")
noProxy := os.Getenv("NO_PROXY")
noProxyLower := os.Getenv("no_proxy")

os.Unsetenv("HTTP_PROXY")

Check failure on line 1598 in client/client_test.go

View workflow job for this annotation

GitHub Actions / lint 

Error return value of `os.Unsetenv` is not checked (errcheck)
os.Unsetenv("http_proxy")

Check failure on line 1599 in client/client_test.go

View workflow job for this annotation

GitHub Actions / lint 

Error return value of `os.Unsetenv` is not checked (errcheck)
os.Unsetenv("HTTPS_PROXY")

Check failure on line 1600 in client/client_test.go

View workflow job for this annotation

GitHub Actions / lint 

Error return value of `os.Unsetenv` is not checked (errcheck)
os.Unsetenv("https_proxy")

Check failure on line 1601 in client/client_test.go

View workflow job for this annotation

GitHub Actions / lint 

Error return value of `os.Unsetenv` is not checked (errcheck)
os.Unsetenv("NO_PROXY")

Check failure on line 1602 in client/client_test.go

View workflow job for this annotation

GitHub Actions / lint 

Error return value of `os.Unsetenv` is not checked (errcheck)
os.Unsetenv("no_proxy")

Check failure on line 1603 in client/client_test.go

View workflow job for this annotation

GitHub Actions / lint 

Error return value of `os.Unsetenv` is not checked (errcheck)

t.Cleanup(func() {
os.Setenv("HTTP_PROXY", httpProxy)

Check failure on line 1606 in client/client_test.go

View workflow job for this annotation

GitHub Actions / lint 

Error return value of `os.Setenv` is not checked (errcheck)
os.Setenv("http_proxy", httpProxyLower)

Check failure on line 1607 in client/client_test.go

View workflow job for this annotation

GitHub Actions / lint 

Error return value of `os.Setenv` is not checked (errcheck)
os.Setenv("HTTPS_PROXY", httpsProxy)

Check failure on line 1608 in client/client_test.go

View workflow job for this annotation

GitHub Actions / lint 

Error return value of `os.Setenv` is not checked (errcheck)
os.Setenv("https_proxy", httpsProxyLower)

Check failure on line 1609 in client/client_test.go

View workflow job for this annotation

GitHub Actions / lint 

Error return value of `os.Setenv` is not checked (errcheck)
os.Setenv("NO_PROXY", noProxy)
os.Setenv("no_proxy", noProxyLower)
})

t.Parallel()

app, dial, start := createHelperServer(t)
Expand All @@ -1603,7 +1626,7 @@
DisablePathNormalizing: true,
}

// Create a simple proxy sever
// Create a simple proxy server
proxyServer := fiber.New()

proxyServer.Use("*", func(c fiber.Ctx) error {
Expand Down Expand Up @@ -1664,7 +1687,7 @@
t.Parallel()
client := New()

err := client.SetProxyURL(":this is not a proxy")
err := client.SetProxyURL("http://127.0.0.1:1")
require.NoError(t, err)

_, err = client.Get("http://localhost:3000")
Expand Down
60 changes: 59 additions & 1 deletion middleware/static/static.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ package static
import (
"fmt"
"io/fs"
"net/url"
"os"
pathpkg "path"
"path/filepath"
"strconv"
"strings"
Expand All @@ -14,6 +16,57 @@ import (
"github.com/valyala/fasthttp"
)

// sanitizePath validates and cleans the requested path.
// It returns an error if the path attempts to traverse directories.
func sanitizePath(p []byte, filesystem fs.FS) ([]byte, error) {
// convert backslashes to slashes for consistency
s := strings.ReplaceAll(string(p), "\\", "/")

// repeatedly unescape until it no longer changes, catching errors
for {
if !strings.Contains(s, "%") {
break
}
us, err := url.PathUnescape(s)
if err != nil {
return nil, fmt.Errorf("invalid path")
}
if us == s {
break
}
s = us
}

// reject any null bytes or traversal attempts
if strings.Contains(s, "\x00") || strings.Contains(s, "..") || strings.Contains(s, ":") {
Comment thread
gaby marked this conversation as resolved.
Outdated
return nil, fmt.Errorf("invalid path")
}
Comment thread
gaby marked this conversation as resolved.
Outdated

raw := s
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
s = pathpkg.Clean("/" + s)

if filesystem != nil {
s = strings.TrimPrefix(s, "/")
if s == "" {
return []byte("/"), nil
}
Comment thread
gaby marked this conversation as resolved.
if !fs.ValidPath(s) {
return nil, fmt.Errorf("invalid path")
}
s = "/" + s
} else {
// verify no traversal after cleaning
if strings.Contains(raw, "..") || strings.Contains(s, "..") {
return nil, fmt.Errorf("invalid path")
}
if !strings.HasPrefix(s, "/") {
s = "/" + s
}
}
Comment thread
gaby marked this conversation as resolved.
Outdated

return utils.UnsafeBytes(s), nil
}

// New creates a new middleware handler.
// The root argument specifies the root directory from which to serve static assets.
//
Expand Down Expand Up @@ -108,7 +161,12 @@ func New(root string, cfg ...Config) fiber.Handler {
path = append([]byte("/"), path...)
}

return path
sanitized, err := sanitizePath(path, fs.FS)
if err != nil {
// return a guaranteed-missing path so fs responds with 404
return []byte("/__fiber_invalid__")
}
return sanitized
Comment thread
gaby marked this conversation as resolved.
}

maxAge := config.MaxAge
Expand Down
184 changes: 184 additions & 0 deletions middleware/static/static_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -900,3 +900,187 @@ func Test_Router_Mount_n_Static(t *testing.T) {
require.NoError(t, err, "app.Test(req)")
require.Equal(t, 200, resp.StatusCode, "Status code")
}

func Test_Static_PathTraversal(t *testing.T) {
// Skip this test if running on Windows
if runtime.GOOS == "windows" {
t.Skip("Skipping Windows-specific tests")
}

t.Parallel()
app := fiber.New()

// Serve only from "../../.github/testdata/fs/css"
// This directory should contain `style.css` but not `index.html` or anything above it.
rootDir := "../../.github/testdata/fs/css"
app.Get("/*", New(rootDir))

// A valid request: should succeed
validReq := httptest.NewRequest(fiber.MethodGet, "/style.css", nil)
validResp, err := app.Test(validReq)
require.NoError(t, err, "app.Test(req)")
require.Equal(t, 200, validResp.StatusCode, "Status code")
require.Equal(t, fiber.MIMETextCSSCharsetUTF8, validResp.Header.Get(fiber.HeaderContentType))
validBody, err := io.ReadAll(validResp.Body)
require.NoError(t, err, "app.Test(req)")
require.Contains(t, string(validBody), "color")

Comment thread
gaby marked this conversation as resolved.
// Helper function to assert that a given path is blocked.
// Blocked can mean different status codes depending on what triggered the block.
// We'll accept 400 or 404 as "blocked" statuses:
// - 404 is the expected blocked response in most cases.
// - 400 might occur if fasthttp rejects the request before it's even processed (e.g., null bytes).
assertTraversalBlocked := func(path string) {
req := httptest.NewRequest(fiber.MethodGet, path, nil)
resp, err := app.Test(req)
require.NoError(t, err, "app.Test(req)")

status := resp.StatusCode
require.Truef(t, status == 400 || status == 404,
"Status code for path traversal %s should be 400 or 404, got %d", path, status)

body, err := io.ReadAll(resp.Body)
require.NoError(t, err)

// If we got a 404, we expect the "Cannot GET" message because that's how fiber handles NotFound by default.
if status == 404 {
require.Contains(t, string(body), "Cannot GET",
"Blocked traversal should have a Cannot GET message for %s", path)
} else {
require.Contains(t, string(body), "Are you a hacker?",
"Blocked traversal should have a Cannot GET message for %s", path)
}
}

// Basic attempts to escape the directory
assertTraversalBlocked("/index.html..")
assertTraversalBlocked("/style.css..")
assertTraversalBlocked("/../index.html")
assertTraversalBlocked("/../../index.html")
assertTraversalBlocked("/../../../index.html")

// Attempts with double slashes
assertTraversalBlocked("//../index.html")
assertTraversalBlocked("/..//index.html")

// Encoded attempts: `%2e` is '.' and `%2f` is '/'
assertTraversalBlocked("/..%2findex.html") // ../index.html
assertTraversalBlocked("/%2e%2e/index.html") // ../index.html
assertTraversalBlocked("/%2e%2e%2f%2e%2e/secret") // ../../../secret

// Mixed encoded and normal attempts
assertTraversalBlocked("/%2e%2e/../index.html") // ../../index.html
assertTraversalBlocked("/..%2f..%2fsecret.json") // ../../../secret.json

// Attempts with current directory references
assertTraversalBlocked("/./../index.html")
assertTraversalBlocked("/././../index.html")

// Trailing slashes
assertTraversalBlocked("/../")
assertTraversalBlocked("/../../")

// Attempts to load files from an absolute path outside the root
assertTraversalBlocked("/" + rootDir + "/../../index.html")

// Additional edge cases:

// Double-encoded `..`
assertTraversalBlocked("/%252e%252e/index.html") // double-encoded .. -> ../index.html after double decoding

// Multiple levels of encoding and traversal
assertTraversalBlocked("/%2e%2e%2F..%2f%2e%2e%2fWINDOWS") // multiple ups and unusual pattern
assertTraversalBlocked("/%2e%2e%2F..%2f%2e%2e%2f%2e%2e/secret") // more complex chain of ../

// Null byte attempts
assertTraversalBlocked("/index.html%00.jpg")
assertTraversalBlocked("/%00index.html")
assertTraversalBlocked("/somefolder%00/something")
assertTraversalBlocked("/%00/index.html")

// Attempts to access known system files
assertTraversalBlocked("/etc/passwd")
assertTraversalBlocked("/etc/")

// Complex mixed attempts with encoded slashes and dots
assertTraversalBlocked("/..%2F..%2F..%2F..%2Fetc%2Fpasswd")
Comment thread
gaby marked this conversation as resolved.

// Attempts inside subdirectories with encoded traversal
assertTraversalBlocked("/somefolder/%2e%2e%2findex.html")
assertTraversalBlocked("/somefolder/%2e%2e%2f%2e%2e%2findex.html")

// Backslash encoded attempts
assertTraversalBlocked("/%5C..%5Cindex.html")
}

func Test_Static_PathTraversal_WindowsOnly(t *testing.T) {
// Skip this test if not running on Windows
if runtime.GOOS != "windows" {
t.Skip("Skipping Windows-specific tests")
}

t.Parallel()
app := fiber.New()

// Serve only from "../../.github/testdata/fs/css"
rootDir := "../../.github/testdata/fs/css"
app.Get("/*", New(rootDir))

// A valid request (relative path without backslash):
validReq := httptest.NewRequest(fiber.MethodGet, "/style.css", nil)
validResp, err := app.Test(validReq)
require.NoError(t, err, "app.Test(req)")
require.Equal(t, 200, validResp.StatusCode, "Status code for valid file on Windows")
body, err := io.ReadAll(validResp.Body)
require.NoError(t, err, "app.Test(req)")
require.Contains(t, string(body), "color")

// Helper to test blocked responses
assertTraversalBlocked := func(path string) {
req := httptest.NewRequest(fiber.MethodGet, path, nil)
resp, err := app.Test(req)
require.NoError(t, err, "app.Test(req)")

// We expect a blocked request to return either 400 or 404
status := resp.StatusCode
require.Containsf(t, []int{400, 404}, status,
"Status code for path traversal %s should be 400 or 404, got %d", path, status)

// If it's a 404, we expect a "Cannot GET" message
if status == 404 {
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
require.Contains(t, string(body), "Cannot GET",
"Blocked traversal should have a 'Cannot GET' message for %s", path)
} else {
require.Contains(t, string(body), "Are you a hacker?",
"Blocked traversal should have a Cannot GET message for %s", path)
}
}

// Windows-specific traversal attempts
// Backslashes are treated as directory separators on Windows.
assertTraversalBlocked("/..\\index.html")
assertTraversalBlocked("/..\\..\\index.html")

// Attempt with a path that might try to reference Windows drives or absolute paths
// Note: These are artificial tests to ensure no drive-letter escapes are allowed.
assertTraversalBlocked("/C:\\Windows\\System32\\cmd.exe")
assertTraversalBlocked("/C:/Windows/System32/cmd.exe")

// Attempt with UNC-like paths (though unlikely in a web context, good to test)
assertTraversalBlocked("//server\\share\\secret.txt")

// Attempt using a mixture of forward and backward slashes
assertTraversalBlocked("/..\\..\\/index.html")

// Attempt that includes a null-byte on Windows
assertTraversalBlocked("/index.html%00.txt")

// Check behavior on an obviously non-existent and suspicious file
assertTraversalBlocked("/\\this\\path\\does\\not\\exist\\..")

// Attempts involving relative traversal and current directory reference
assertTraversalBlocked("/.\\../index.html")
assertTraversalBlocked("/./..\\index.html")
}
Loading