#266 addressing path traversal issue on static file delivery

go-aah · Mar 3, 2020 · 55fb845 · 55fb845
1 parent 0bcfe2c
commit 55fb845
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -9,6 +9,7 @@
 
 ### News
 
+  * `v0.12.4` [released](https://docs.aahframework.org/release-notes.html) and tagged on Mar 03, 2020.
   * `v0.12.3` [released](https://docs.aahframework.org/release-notes.html) and tagged on Feb 06, 2019.
   * `v0.12.2` [released](https://docs.aahframework.org/release-notes.html) and tagged on Dec 13, 2018.
   * `v0.12.0` [released](https://docs.aahframework.org/release-notes.html) and tagged on Dec 02, 2018.

diff --git a/http_engine.go b/http_engine.go
@@ -8,13 +8,14 @@ import (
 	"errors"
 	"io"
 	"net/http"
+	"path"
 	"sync"
 	"time"
 
 	"aahframe.work/ahttp"
 	"aahframe.work/ainsp"
 	"aahframe.work/aruntime"
-	"aahframe.work/essentials"
+	ess "aahframe.work/essentials"
 	"aahframe.work/internal/settings"
 	"aahframe.work/log"
 	"aahframe.work/security"
@@ -80,6 +81,9 @@ func (e *HTTPEngine) Handle(w http.ResponseWriter, r *http.Request) {
 		defer e.a.accessLog.Log(ctx)
 	}
 
+	// Path Clean
+	r.URL.Path = path.Clean(r.URL.Path)
+
 	ctx.Req, ctx.Res = ahttp.AcquireRequest(r), ahttp.AcquireResponseWriter(w)
 
 	// Recovery handling

diff --git a/static.go b/static.go
@@ -19,7 +19,7 @@ import (
 	"strings"
 
 	"aahframe.work/ahttp"
-	"aahframe.work/essentials"
+	ess "aahframe.work/essentials"
 	"aahframe.work/internal/util"
 	"aahframe.work/vfs"
 )
@@ -166,6 +166,14 @@ func (s *staticManager) open(ctx *Context) (vfs.File, error) {
 		filePath = parseCacheBustPart(ctx.Req.PathValue("filepath"), s.a.BuildInfo().Version)
 	}
 
+	// path clean happens at http engine level also
+	// adding secondary check to disallow any access to
+	// config directory and its subtree
+	filePath = path.Join(ctx.route.Dir, filePath)
+	if strings.HasPrefix(filePath, "config") {
+		return nil, errors.New("resource access is not allowed")
+	}
+
 	resource := filepath.ToSlash(path.Join(s.a.VirtualBaseDir(), ctx.route.Dir, filePath))
 	ctx.Log().Tracef("Static resource: %s", resource)
 

diff --git a/version.go b/version.go
@@ -5,4 +5,4 @@
 package aah
 
 // Version no. of aah framework
-const Version = "0.12.3"
+const Version = "0.12.4"