Skip to content

net/http, security: http.FileServer may inadvertently expose sensitive directories #20759

@kevinburke

Description

@kevinburke

The default http.FileServer(http.Dir(".")) implementation exposes all files and folders in the working directory. This includes directories like .git or .svn, which an attacker can use to recover the source code comprising the server, if for example people deploy by running a "git clone" and a "go install." This is how Heroku handles Go deployments and I am sure others do as well; it's common if you run Macs locally but deploy on Linux.

This is not a hypothetical attack, one estimate found 9700 of the Alexa top 1 million sites expose the .git directory: https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/

I am wondering whether the Go standard library should do anything to help prevent these inadvertent directory exposures. Our hands are slightly tied by the current API, which exposes everything and can't change.

Some options:

  • Do nothing

  • Document the potential vulnerability and leave it at that.

  • Add http.SafeDir or similar, that 404's on any file beginning with a .. This should cover most private files, including .htpasswd.

  • Add SafeDir to httputil.

  • Modify http.Dir to exclude files that begin with a .. This would break backwards compatibility, and seems like a bad idea.

Metadata

Metadata

Assignees

No one assigned

    Labels

    DocumentationIssues describing a change to documentation.FrozenDueToAgeNeedsDecisionFeedback is required from experts, contributors, and/or the community before a change can be made.Security

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions