On Reddit user epiris reported the possibility of directory traversal vulnerability on Static File delivery.
I have analyzed the issue and pointers from epiris. aah framework uses http.Dir internally for serving directory listing. http.Dir has checks for Dot-Dot, \ path separator and \x00 char to prevent directory traversal vulnerability.
However it is good to place the check at framework before processing an incoming directory listing request.
Thanks to epiris for taking out his time.
Note: Static file/directory delivery scenario's protected by http.Dir.
Note: As per framework design, this issue possibility is only applicable to directory listing, not for static file serve. Since static file config is defined by application user in the routes.conf. aah framework will not entertaint any request if the definition doesn't match from routes.conf.
On Reddit user epiris reported the possibility of directory traversal vulnerability on Static File delivery.
I have analyzed the issue and pointers from
epiris. aah framework useshttp.Dirinternally for serving directory listing.http.Dirhas checks forDot-Dot,\path separator and\x00char to preventdirectory traversal vulnerability.However it is good to place the check at framework before processing an incoming directory listing request.
Thanks to epiris for taking out his time.
Note: Static file/directory delivery scenario's protected by
http.Dir.Note: As per framework design, this issue possibility is only applicable to directory listing, not for static file serve. Since static file config is defined by application user in theroutes.conf. aah framework will not entertaint any request if the definition doesn't match from routes.conf.