LFI in zola serve

[adeadfed]

Bug Report

Environment

OS: MacOS 13.4.1; Windows 11; Ubuntu 20.04
Zola version: 0.17.2

Expected Behavior

Application should only search & serve files within the webserver's root folder.

Current Behavior

Custom implementation of a web server, used for development purposes & available via zola serve command is vulnerable to a directory traversal. handle_request function performs insufficient checks over the user-supplied path in a HTTP request to the server

zola/src/cmd/serve.rs

Line 120 in 695c17d

if !root.starts_with(original_root) {

The application only checks for a trusted path prefix, but does not actually fully resolve the path. Since the webroot directory is prepended to each path, this check will always be bypassed:

let root_path = PathBuf::from("/trusted_prefix/../../some/arbitrary/path");
let trusted_prefix = "/trusted_prefix";

root_path.starts_with(trusted_prefix); <-- true

Thus is possible to utilize path control sequences (/, ..) to escape the webroot & read arbitrary files off the FS of the machines running zola serve command.

Step to reproduce (UNIX)

0. Install zola
1. Run zola init poc && cd poc
2. Run zola serve
3. Use curl > 7.42 to trigger the path traversal via the following command: curl --path-as-is "http://localhost:1111/../../../../../../../../../../etc/passwd" -vvv

Successful explotation should yield contents of the /etc/passwd file

[sarahmaya771]

I love it