Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zMjI3LXI5N20tOGo5Nc0_nQ
Relative Path Traversal in afire serve_static
Impact
This vulnerability effects the built-in afire serve_static extension allowing paths containing //.... to bypass the previous path sanitation and request files in higher directories that should not be accessible.
Patches
The issue has been fixed in afire 1.1.0.
If you can, just update to the newest version of afire.
Workarounds
If you can't update afire you can simply disallow paths containing /.. with the following middleware.
Make sure this is the last middleware added to the server so it runs first, stopping the bad requests.
use afire::prelude::*;
struct PathTraversalFix;
impl Middleware for PathTraversalFix {
fn pre(&self, req: Request) -> MiddleRequest {
if req.path.replace("\\", "/").contains("/..") {
return MiddleRequest::Send(
Response::new()
.status(400)
.text("Paths containing `..` are not allowed"),
);
}
MiddleRequest::Continue
}
}
let mut server = Server::new(host, port);
PathTraversalFix.attach(&mut server);
References
You can read about the new changes to afire in 1.1.0 here
For more information
If you have any questions or comments about this advisory you can email me or message me on discord.
[https://connorcode.com/contact]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zMjI3LXI5N20tOGo5Nc0_nQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-3227-r97m-8j95
References:
- https://github.com/Basicprogrammer10/afire/security/advisories/GHSA-3227-r97m-8j95
- https://github.com/Basicprogrammer10/afire/commit/da7904c04f82e1cb43cc42eaf6a1dba072b5c921
- https://github.com/Basicprogrammer10/afire/releases/tag/v1.1.0
- https://github.com/advisories/GHSA-3227-r97m-8j95
Blast Radius: 0.0
Affected Packages
cargo:afire
Dependent packages: 1Dependent repositories: 7
Downloads: 11,831 total
Affected Version Ranges: >= 0.2.1, < 1.1.0
Fixed in: 1.1.0
All affected versions: 0.2.1, 0.2.2, 0.3.0, 0.4.0, 1.0.0
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.2.0, 1.1.0, 1.2.0, 2.0.0, 2.1.0, 2.2.0, 2.2.1