Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 [Bug]: internal error on static path prefix ending with ".." #3238

Open
3 tasks done
simonbrandhof opened this issue Dec 7, 2024 · 8 comments
Open
3 tasks done

🐛 [Bug]: internal error on static path prefix ending with ".." #3238

simonbrandhof opened this issue Dec 7, 2024 · 8 comments
Assignees
@rishavch2104
Labels
☢️ Bug v2

Comments

@simonbrandhof
Copy link

simonbrandhof commented Dec 7, 2024
edited
Loading

Bug Description

A request to a path handled by a static router generates an internal server error if the requested path matches the router "prefix" suffixed with ...

For example if the router prefix is /css, the requests to /css../* return the 500 error code.

That could be considered as a vulnerability:

  • raise false-positive alerts in the monitoring system
  • potential deeper vulnerabilities. The error could be a symptom of an underlying issue.

How to Reproduce

Steps to reproduce the behavior:

  1. create the directory ./css
  2. start the server:
func main() {
  app := fiber.New()
  app.Static("/css", "./css")
  app.Listen(":3000")
}
  1. request http://localhost:3000/css../whatever. The 500 error code is returned instead of the expected 404.

Expected Behavior

The static router should always return 404 if the requested path does not exist.

A workaround is to explicitly exclude the buggy path:

func main() {
  app := fiber.New()
  app.Use("/css..", func(c *fiber.Ctx) error {
    return c.SendStatus(fiber.StatusNotFound)
  })
  app.Static("/css", "./css")
  app.Listen(":3000")
}

Fiber Version

v2.52.5

Code Snippet (optional)

No response

Checklist:

  • I agree to follow Fiber's Code of Conduct.
  • I have checked for existing issues that describe my problem prior to opening this one.
  • I understand that improperly formatted bug reports may be closed without explanation.
@welcome Welcome
Copy link

welcome bot commented Dec 7, 2024

Thanks for opening your first issue here! 🎉 Be sure to follow the issue template! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord

@gaby gaby added the v2 label Dec 7, 2024
@simonbrandhof simonbrandhof changed the title 🐛 [Bug]: internal error on static path with ".." 🐛 [Bug]: internal error on static path prefix ending with ".." Dec 8, 2024
@gaby
Copy link
Member

gaby commented Dec 9, 2024

This behavior was also seen when adding more tests to #3105

@gaby
Copy link
Member

gaby commented Dec 9, 2024

I have tested and confirmed that this returns 404 when using Fiber v3.

@simonbrandhof You are using v2.5.x right ?

@simonbrandhof
Copy link
Author

@gaby exact, v2.52.5

@rishavch2104
Copy link

I would like to work on this @gaby

@gaby
Copy link
Member

gaby commented Mar 4, 2025

@rishavch2104 Go for it. The branch name is v2.

@rishavch2104
Copy link

Hi @gaby from what I understand, static files with path /css will always be /css/123 unless its a wildcard. it can never be /cssab/123. From the code we are passing /css to fasthttp.FS as prefix. But in case of non root and non wildcard paths, it should be /css/ . Please let me know if this sounds fine, I will make the changes accordingly

@gaby
Copy link
Member

gaby commented Mar 5, 2025

@rishavch2104 I believe so, yes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rishavch2104 rishavch2104

Labels
☢️ Bug v2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@simonbrandhof @gaby @rishavch2104