Skip to content

Relative Path Traversal in afire serve_static

High severity GitHub Reviewed Published Apr 10, 2022 in connorslade/afire • Updated Jan 11, 2023

Package

cargo afire (Rust)

Affected versions

>= 0.2.1, < 1.1.0

Patched versions

1.1.0

Description

Impact

This vulnerability effects the built-in afire serve_static extension allowing paths containing //.... to bypass the previous path sanitation and request files in higher directories that should not be accessible.

Patches

The issue has been fixed in afire 1.1.0.
If you can, just update to the newest version of afire.

Workarounds

If you can't update afire you can simply disallow paths containing /.. with the following middleware.
Make sure this is the last middleware added to the server so it runs first, stopping the bad requests.

use afire::prelude::*;

struct PathTraversalFix;

impl Middleware for PathTraversalFix {
    fn pre(&self, req: Request) -> MiddleRequest {
        if req.path.replace("\\", "/").contains("/..") {
            return MiddleRequest::Send(
                Response::new()
                    .status(400)
                    .text("Paths containing `..` are not allowed"),
            );
        }

        MiddleRequest::Continue
    }
}
let mut server = Server::new(host, port);
PathTraversalFix.attach(&mut server);

References

You can read about the new changes to afire in 1.1.0 here

For more information

If you have any questions or comments about this advisory you can email me or message me on discord.
[https://connorcode.com/contact]

References

@connorslade connorslade published to connorslade/afire Apr 10, 2022
Published to the GitHub Advisory Database Apr 22, 2022
Reviewed Apr 22, 2022
Last updated Jan 11, 2023

Severity

High

CVE ID

No known CVE

GHSA ID

GHSA-3227-r97m-8j95

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.