Headline
CVE-2019-25073: v1: Prevent directory path traversal in FileHandler (#2388) · goadesign/goa@70b5a19
Improper path santiziation in github.com/goadesign/goa before v3.0.9, v2.0.10, or v1.4.3 allow remote attackers to read files outside of the intended directory.
@@ -372,6 +372,10 @@ func (ctrl *Controller) FileHandler(path, filename string) Handler { } } return func(ctx context.Context, rw http.ResponseWriter, req *http.Request) error { // prevent path traversal if attemptsPathTraversal(req.URL.Path, path) { return ErrNotFound(req.URL.Path) } fname := filename if len(wc) > 0 { if m, ok := ContextRequest(ctx).Params[wc]; ok { @@ -415,6 +419,32 @@ func (ctrl *Controller) FileHandler(path, filename string) Handler { } }
func attemptsPathTraversal(req string, path string) bool { if !strings.Contains(req, “…”) { return false }
currentPathIdx := 0 if idx := strings.LastIndex(path, “/*”); idx > -1 && idx < len(path)-1 { req = req[idx+1:] } for _, runeValue := range strings.FieldsFunc(req, isSlashRune) { if runeValue == “…” { currentPathIdx-- if currentPathIdx < 0 { return true } } else { currentPathIdx++ } } return false }
func isSlashRune(r rune) bool { return os.IsPathSeparator(uint8®) }
var replacer = strings.NewReplacer( "&", "&", "<", "<",