More information
#### Details
Path resolution in `warp::filters::fs::dir` didn't correctly validate Windows paths meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users could potentially read files anywhere on the filesystem.
This only impacts Windows. Linux and other unix likes are not impacted by this.
#### Severity
High
#### References
- [https://github.com/seanmonstar/warp/issues/937](https://redirect.github.com/seanmonstar/warp/issues/937)
- [https://github.com/seanmonstar/warp/pull/997](https://redirect.github.com/seanmonstar/warp/pull/997)
- [https://github.com/seanmonstar/warp/commit/0074a0a3e98786509259bfe3821d3b3f094257aa](https://redirect.github.com/seanmonstar/warp/commit/0074a0a3e98786509259bfe3821d3b3f094257aa)
- [https://github.com/seanmonstar/warp](https://redirect.github.com/seanmonstar/warp)
- [https://rustsec.org/advisories/RUSTSEC-2022-0082.html](https://rustsec.org/advisories/RUSTSEC-2022-0082.html)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8v4j-7jgf-5rg9) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
Improper validation of Windows paths could lead to directory traversal attack
More information
#### Details
Path resolution in `warp::filters::fs::dir` didn't correctly validate Windows paths
meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed
and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users
could potentially read files anywhere on the filesystem.
This only impacts Windows. Linux and other unix likes are not impacted by this.
#### Severity
Unknown
#### References
- [https://crates.io/crates/warp](https://crates.io/crates/warp)
- [https://rustsec.org/advisories/RUSTSEC-2022-0082.html](https://rustsec.org/advisories/RUSTSEC-2022-0082.html)
- [https://github.com/seanmonstar/warp/issues/937](https://redirect.github.com/seanmonstar/warp/issues/937)
This data is provided by [OSV](https://osv.dev/vulnerability/RUSTSEC-2022-0082) and the [Rust Advisory Database](https://redirect.github.com/RustSec/advisory-db) ([CC0 1.0](https://redirect.github.com/rustsec/advisory-db/blob/main/LICENSE.txt)).
Release Notes
seanmonstar/warp (warp)
### [`v0.3.3`](https://redirect.github.com/seanmonstar/warp/blob/HEAD/CHANGELOG.md#v033-September-27-2022)
[Compare Source](https://redirect.github.com/seanmonstar/warp/compare/v0.3.2...v0.3.3)
- **Fixes**:
- Fix `fs` filters path sanitization to reject colons on Windows.
### [`v0.3.2`](https://redirect.github.com/seanmonstar/warp/blob/HEAD/CHANGELOG.md#v032-November-9-2021)
[Compare Source](https://redirect.github.com/seanmonstar/warp/compare/v0.3.1...v0.3.2)
- **Features**:
- Add `Filter::then()`, which is like `Filter::map()` in that it's infallible, but is async like `Filter::and_then()`.
- Add `redirect::found()` reply helper that returns `302 Found`.
- Add `compression-brotli` and `compression-gzip` cargo features to enable only the compression you need.
- Allow `HEAD` requests to be served to `fs::dir()` filters.
- Allow `path!()` with no arguments.
- **Fixes**:
- Update private dependencies Tungstenite and Multipart.
- Replaces uses of `futures` with `futures-util`, which is a smaller dependency.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
0.3.1
->0.3.3
Warp vulnerable to Path Traversal via Improper validation of Windows paths
GHSA-8v4j-7jgf-5rg9 / RUSTSEC-2022-0082
More information
#### Details Path resolution in `warp::filters::fs::dir` didn't correctly validate Windows paths meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users could potentially read files anywhere on the filesystem. This only impacts Windows. Linux and other unix likes are not impacted by this. #### Severity High #### References - [https://github.com/seanmonstar/warp/issues/937](https://redirect.github.com/seanmonstar/warp/issues/937) - [https://github.com/seanmonstar/warp/pull/997](https://redirect.github.com/seanmonstar/warp/pull/997) - [https://github.com/seanmonstar/warp/commit/0074a0a3e98786509259bfe3821d3b3f094257aa](https://redirect.github.com/seanmonstar/warp/commit/0074a0a3e98786509259bfe3821d3b3f094257aa) - [https://github.com/seanmonstar/warp](https://redirect.github.com/seanmonstar/warp) - [https://rustsec.org/advisories/RUSTSEC-2022-0082.html](https://rustsec.org/advisories/RUSTSEC-2022-0082.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8v4j-7jgf-5rg9) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).Improper validation of Windows paths could lead to directory traversal attack
GHSA-8v4j-7jgf-5rg9 / RUSTSEC-2022-0082
More information
#### Details Path resolution in `warp::filters::fs::dir` didn't correctly validate Windows paths meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users could potentially read files anywhere on the filesystem. This only impacts Windows. Linux and other unix likes are not impacted by this. #### Severity Unknown #### References - [https://crates.io/crates/warp](https://crates.io/crates/warp) - [https://rustsec.org/advisories/RUSTSEC-2022-0082.html](https://rustsec.org/advisories/RUSTSEC-2022-0082.html) - [https://github.com/seanmonstar/warp/issues/937](https://redirect.github.com/seanmonstar/warp/issues/937) This data is provided by [OSV](https://osv.dev/vulnerability/RUSTSEC-2022-0082) and the [Rust Advisory Database](https://redirect.github.com/RustSec/advisory-db) ([CC0 1.0](https://redirect.github.com/rustsec/advisory-db/blob/main/LICENSE.txt)).Release Notes
seanmonstar/warp (warp)
### [`v0.3.3`](https://redirect.github.com/seanmonstar/warp/blob/HEAD/CHANGELOG.md#v033-September-27-2022) [Compare Source](https://redirect.github.com/seanmonstar/warp/compare/v0.3.2...v0.3.3) - **Fixes**: - Fix `fs` filters path sanitization to reject colons on Windows. ### [`v0.3.2`](https://redirect.github.com/seanmonstar/warp/blob/HEAD/CHANGELOG.md#v032-November-9-2021) [Compare Source](https://redirect.github.com/seanmonstar/warp/compare/v0.3.1...v0.3.2) - **Features**: - Add `Filter::then()`, which is like `Filter::map()` in that it's infallible, but is async like `Filter::and_then()`. - Add `redirect::found()` reply helper that returns `302 Found`. - Add `compression-brotli` and `compression-gzip` cargo features to enable only the compression you need. - Allow `HEAD` requests to be served to `fs::dir()` filters. - Allow `path!()` with no arguments. - **Fixes**: - Update private dependencies Tungstenite and Multipart. - Replaces uses of `futures` with `futures-util`, which is a smaller dependency.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.