CVE-2022-35920: Sanic static handler allows parent ".." directory traversal · Issue #2478 · sanic-org/sanic

Describe the bug

The sanic static directory code checks for …/ as a substring of paths, but it also unquotes the path, which allows a malicious user to escape outside the static folder by using …%2F, where %2F is the URL-escaped version of /.

Code snippet

First, a basic server called main.py.

from sanic import Sanic

app = Sanic(name="sanic_test")

app.static('/static’, ‘./static_files’)

if __name__ == "__main__": app.run(host="0.0.0.0", port=8000)

Then create a static file folder.

mkdir static_files
cat "hello world" > static_files/a.txt

Now run the server with python3 main.py and:

$ curl http://localhost:8000/static/a.txt hello world $ curl http://localhost:8000/static/…%2Fstatic_files/a.txt hello world

This is very surprising behavior. From a security perspective it is not critical because sanic checks that the final resolved path has a prefix with the static directory, but this allows an attacker to expose information like the name of the static file folder.

Another case where this is dangerous is if you have a middleware that only allows a user to see certain subpaths like /static/public/** of the /static/** routes without authentication. Then, even without authentication, a user could visit a path like /static/public/…%2F/private/secret_content.txt and retrieve the contents of /static/private/secret_content.txt.

Expected behavior

Sanic should not allow parent directory traversal in static folders.

Environment (please complete the following information):

• OS: macOS and Linux
• Version 22.3.2