-
Notifications
You must be signed in to change notification settings - Fork 18.3k
Description
The default http.FileServer(http.Dir("."))
implementation exposes all files and folders in the working directory. This includes directories like .git
or .svn
, which an attacker can use to recover the source code comprising the server, if for example people deploy by running a "git clone" and a "go install." This is how Heroku handles Go deployments and I am sure others do as well; it's common if you run Macs locally but deploy on Linux.
This is not a hypothetical attack, one estimate found 9700 of the Alexa top 1 million sites expose the .git
directory: https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/
I am wondering whether the Go standard library should do anything to help prevent these inadvertent directory exposures. Our hands are slightly tied by the current API, which exposes everything and can't change.
Some options:
-
Do nothing
-
Document the potential vulnerability and leave it at that.
-
Add
http.SafeDir
or similar, that 404's on any file beginning with a.
. This should cover most private files, including.htpasswd
. -
Add
SafeDir
to httputil. -
Modify
http.Dir
to exclude files that begin with a.
. This would break backwards compatibility, and seems like a bad idea.