Path traversal in /static responder when running in debug mode

[5225225]

Steps to reproduce:

1. Run agora in debug mode, I used cargo run -- --directory tmp --http-port 1234
2. curl --path-as-is https://localhost:1234/static/../../../../../../../../etc/passwd
3. Get back the contents of your /etc/passwd

[5225225]

This is best handled upstream, I opened pyrossh/rust-embed#159

Might as well keep this open until the code here is no longer vulnerable, though.

[casey]

Nice find! I'm both surprised and not surprised that they didn't think of this. It's exactly the kind of thing that one should worry about, but also, most user agents normalize .. path segments, so if you don't use something like --path-as-is, you might think that it isn't an issue.

[casey]

I opened #271 with some thoughts for things we could do on our end.

[5225225]

By the way, rust-embed fixed this, so you should put out a release that depends on 6.3.0, see the linked issue pyrossh/rust-embed#159

[soenkehahn]

@5225225: Thanks so much for opening this issue. I just put up a PR bumping the rust-embed version: #274. I also made sure manually that this actually fixes it.

[casey]

Since this is a security issue, reopening until we have a new release with the fix.

[casey]

Just published v0.1.2 and tested it locally, and this is fixed.

On a vulnerable version, you can get the readme me when serving files out of the example-files directory with:

curl --path-as-is localhost:8080/static/../README.md

On 0.1.2 this returns a 404.

Thanks again, @5225225, for finding this. How did you think to look for it?

[5225225]

I was mainly going through reddit posts on /r/rust looking for people who posted about web services

then looked at the router expecting to find either a fun path traversal, or some lack of authentication / denial of service.

I mainly fuzz crates (see: massive list of issues / PRs related to that) but thought i'd try my hand at reviewing a web project.