net/http, security: http.FileServer may inadvertently expose sensitive directories #20759
Description
The default http.FileServer(http.Dir(".")) implementation exposes all files and folders in the working directory. This includes directories like .git or .svn, which an attacker can use to recover the source code comprising the server, if for example people deploy by running a "git clone" and a "go install." This is how Heroku handles Go deployments and I am sure others do as well; it's common if you run Macs locally but deploy on Linux.
This is not a hypothetical attack, one estimate found 9700 of the Alexa top 1 million sites expose the .git directory: https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/
I am wondering whether the Go standard library should do anything to help prevent these inadvertent directory exposures. Our hands are slightly tied by the current API, which exposes everything and can't change.
Some options:
-
Do nothing
-
Document the potential vulnerability and leave it at that.
-
Add
http.SafeDiror similar, that 404's on any file beginning with a.. This should cover most private files, including.htpasswd. -
Add
SafeDirto httputil. -
Modify
http.Dirto exclude files that begin with a.. This would break backwards compatibility, and seems like a bad idea.