chain-indexing icon indicating copy to clipboard operation
chain-indexing copied to clipboard
verified publisher icon crypto-com

Fix Patched irectory Traversal via the ServeFile function()

Open imhunterand opened this issue 2 years ago • 0 comments

The project used asthttp is vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. It is possible to be exploited by using a backslash %5c character in the path. Note: This security issue impacts Windows users only.

var (
	strSlash            = []byte("/")
	strSlashSlash       = []byte("//")
	strSlashDotDot      = []byte("/..")
	strSlashDotSlash    = []byte("/./")
	strSlashDotDotSlash = []byte("/../")
	strCRLF             = []byte("\r\n")
	strHTTP             = []byte("http")
	strHTTPS            = []byte("https")
	strHTTP10           = []byte("HTTP/1.0")
	strHTTP11           = []byte("HTTP/1.1")
	strColon            = []byte(":")
	strColonSlashSlash  = []byte("://")
	strColonSpace       = []byte(": ")
	strCommaSpace       = []byte(", ")
	strGMT              = []byte("GMT")

var (
   ...
  strSlashDotDotBackSlash = []byte(`/..\`)
  strBackSlashDotDotBackSlash = []byte(`\..\`)
  ...
)

func normalizePath(dst, src []byte) []byte {
...

// remove /foo/..\ parts
	for {
		n := bytes.Index(b, strSlashDotDotBackSlash)
		if n < 0 {
			break
		}
		nn := bytes.LastIndexByte(b[:n], '/')
		if nn < 0 {
			nn = 0
		}
		n += len(strSlashDotDotBackSlash) - 1
		copy(b[nn:], b[n:])
		b = b[:len(b)-n+nn]
	}

	// remove /foo\..\ parts
	for {
		n := bytes.Index(b, strBackSlashDotDotBackSlash)
		if n < 0 {
			break
		}
		nn := bytes.LastIndexByte(b[:n], '/')
		if nn < 0 {
			nn = 0
		}
		n += len(strBackSlashDotDotBackSlash) - 1
		copy(b[nn:], b[n:])
		b = b[:len(b)-n+nn]
	}

...
}

Impact

CVE-2022-21221 CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

imhunterand avatar Nov 12 '23 19:11 imhunterand