CVE-2023-40274: LFI in zola serve · Issue #2257 · getzola/zola

Bug Report****Environment

OS: MacOS 13.4.1; Windows 11; Ubuntu 20.04
Zola version: 0.17.2

Expected Behavior

Application should only search & serve files within the webserver’s root folder.

Current Behavior

Custom implementation of a web server, used for development purposes & available via zola serve command is vulnerable to a directory traversal. handle_request function performs insufficient checks over the user-supplied path in a HTTP request to the server

if !root.starts_with(original_root) {

The application only checks for a trusted path prefix, but does not actually fully resolve the path. Since the webroot directory is prepended to each path, this check will always be bypassed:

let root_path = PathBuf::from("/trusted_prefix/../../some/arbitrary/path");
let trusted_prefix = "/trusted_prefix";

root_path.starts_with(trusted_prefix); <-- true

Thus is possible to utilize path control sequences (/, …) to escape the webroot & read arbitrary files off the FS of the machines running zola serve command.

Step to reproduce (UNIX)

1. Install zola
2. Run zola init poc && cd poc
3. Run zola serve
4. Use curl > 7.42 to trigger the path traversal via the following command: curl --path-as-is “http://localhost:1111/…/…/…/…/…/…/…/…/…/…/etc/passwd” -vvv

Successful explotation should yield contents of the /etc/passwd file