x/vulndb: potential Go vuln in goyave.dev/goyave

Acknowledgement

[X] The maintainer(s) of the affected project have already been made aware of this vulnerability.

Description

Summary: full access to the host's OS file system using osfs.FS with Router.Static

Static file serving using router.Static and osfs.FS allows clients to access any file on the host file system using relative paths because the requested path is not sanitized and . and .. segments are accepted. The files will be returned as a response, provided the system user running the Go application has read access to the requested file.

Reproduction

import (
    "goyave.dev/goyave/v5"
    "goyave.dev/goyave/v5/util/fsutil/osfs"
)

func Register(server *goyave.Server, router *goyave.Router) {
    fs, err := (&osfs.FS{}).Sub("resources")
    if err != nil {
        //...
        return
    }
    router.Static(fs, "/resources", false)
}

curl http://localhost:8080/resources/../../some/file

Workarounds

Use fsutil.NewEmbed(embeddedFS) from the goyave.dev/goyave/v5/util/fsutil package to serve static content using Router.Static instead of &osfs.FS. Embedded file systems are rooted to the specified directory, making it impossible to navigate outside of the developers' intended directory.

import (
    "embed"
    "goyave.dev/goyave/v5/util/fsutil"
)

//go:embed resources
var resources embed.FS

//...
fs := fsutil.NewEmbed(resources)
router.Static(fs, "/resources", false)

Affected Modules, Packages, Versions and Symbols

Module: goyave.dev/goyave/v5
Package: goyave.dev/goyave/v5
Versions:
  - Introduced: 5.0.0
  - Fixed: 5.5.0
Symbols:
  - Router.Static

CVE/GHSA ID

No response

Fix Commit or Pull Request

https://github.com/go-goyave/goyave/commit/5836bff3efaa8a37fbd58d077b93f03e93e05edd

References

No response

Additional information

No response

golang / vulndb