GHSA-3227-r97m-8j95 – afire

Package

Manager: cargo
Name: afire
Vulnerable Version: >=0.2.1 <1.1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Relative Path Traversal in afire serve_static ### Impact This vulnerability effects the built-in afire serve_static extension allowing paths containing `//....` to bypass the previous path sanitation and request files in higher directories that should not be accessible. ### Patches The issue has been fixed in [afire 1.1.0](https://crates.io/crates/afire/1.1.0). If you can, just update to the newest version of afire. ### Workarounds If you can't update afire you can simply disallow paths containing `/..` with the following middleware. Make sure this is the last middleware added to the server so it runs first, stopping the bad requests. ```rust use afire::prelude::*; struct PathTraversalFix; impl Middleware for PathTraversalFix { fn pre(&self, req: Request) -> MiddleRequest { if req.path.replace("\\", "/").contains("/..") { return MiddleRequest::Send( Response::new() .status(400) .text("Paths containing `..` are not allowed"), ); } MiddleRequest::Continue } } ``` ```rust let mut server = Server::new(host, port); PathTraversalFix.attach(&mut server); ``` ### References You can read about the new changes to afire in 1.1.0 [here](https://connorcode.com/writing/afire/update-3) ### For more information If you have any questions or comments about this advisory you can email me or message me on discord. [[https://connorcode.com/contact](https://connorcode.com/contact)]

Metadata

Created: 2022-04-22T20:16:45Z
Modified: 2022-04-22T20:16:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-3227-r97m-8j95/GHSA-3227-r97m-8j95.json
CWE IDs: ["CWE-22", "CWE-34"]
Alternative ID: N/A
Finding: F063
Auto approve: 1