Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v3: Improve path validation in Static Middleware #3105

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Prev Previous commit
Next Next commit
Update static.go
  • Loading branch information
ashermyers authored Aug 20, 2024
commit 63afcdfdc323c08b03fcb546bc8eba73194dce7f
2 changes: 1 addition & 1 deletion middleware/static/static.go
Original file line number Diff line number Diff line change
@@ -65,7 +65,7 @@
GenerateIndexPages: config.Browse,
AcceptByteRange: config.ByteRange,
Compress: config.Compress,
CompressBrotli: config.Compress,
CompressBrotli: config.Compress, // Brotli compression won't work without this
CompressedFileSuffixes: c.App().Config().CompressedFileSuffixes,
CacheDuration: config.CacheDuration,
SkipCache: config.CacheDuration < 0,
@@ -105,14 +105,14 @@
// Perform explicit path validation
absRoot, err := filepath.Abs(root)
if err != nil {
fctx.Response.SetStatusCode(fiber.StatusInternalServerError)
return nil

Check warning on line 109 in middleware/static/static.go

Codecov / codecov/patch

middleware/static/static.go#L108-L109

Added lines #L108 - L109 were not covered by tests
}

absPath, err := filepath.Abs(filepath.Join(absRoot, string(path)))
if err != nil || !strings.HasPrefix(absPath, absRoot) {
fctx.Response.SetStatusCode(fiber.StatusForbidden)
return nil

Check warning on line 115 in middleware/static/static.go

Codecov / codecov/patch

middleware/static/static.go#L114-L115

Added lines #L114 - L115 were not covered by tests
}

return path