-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v3: Improve path validation in Static Middleware #3105
base: main
Are you sure you want to change the base?
Conversation
Thanks for opening this pull request! 🎉 Please check out our contributing guidelines. If you need help or want to chat with us, join us on Discord https://gofiber.io/discord |
WalkthroughThe recent changes enhance the security of the Changes
Poem
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Files selected for processing (1)
- middleware/static/static.go (1 hunks)
Additional comments not posted (1)
middleware/static/static.go (1)
105-117
: Security Enhancement: Absolute Path Validation ApprovedThe implementation of absolute path resolution using
filepath.Abs
effectively mitigates directory traversal attacks by ensuring that the requested path is within the root directory. The use of appropriate HTTP status codes (500
for internal errors and403
for forbidden access) enhances security and robustness.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3105 +/- ##
==========================================
- Coverage 82.76% 82.64% -0.13%
==========================================
Files 114 114
Lines 11149 11159 +10
==========================================
- Hits 9228 9222 -6
- Misses 1521 1533 +12
- Partials 400 404 +4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
@ashermyers thx for the adjustment |
@ashermyers can you add some test cases code you have changed |
@coderabbitai full review |
Actions performedFull review triggered. |
WalkthroughThe changes enhance the path validation logic in the Changes
Poem
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Files selected for processing (1)
- middleware/static/static.go (1 hunks)
Additional context used
GitHub Check: codecov/patch
middleware/static/static.go
[warning] 108-109: middleware/static/static.go#L108-L109
Added lines #L108 - L109 were not covered by tests
[warning] 114-115: middleware/static/static.go#L114-L115
Added lines #L114 - L115 were not covered by tests
Additional comments not posted (2)
middleware/static/static.go (2)
Line range hint
183-205
: Well-implemented helper function.The
isFile
function is well-implemented with robust error handling and flexibility to work with both custom file systems and the OS file system. This function supports the main functionality by determining if the root is a file, which is crucial for setting the correct path behavior in the middleware.Tools
GitHub Check: codecov/patch
[warning] 108-109: middleware/static/static.go#L108-L109
Added lines #L108 - L109 were not covered by tests
[warning] 114-115: middleware/static/static.go#L114-L115
Added lines #L114 - L115 were not covered by tests
105-117
: Approve changes but recommend adding test coverage.The implementation of absolute path resolution is a significant enhancement for security, effectively mitigating directory traversal attacks. The logic to check for errors and ensure the requested path does not escape the designated root directory is correctly implemented.
However, the static analysis tool has flagged that new lines 108-109 and 114-115 are not covered by tests. It is crucial to ensure that these parts of the code are tested to maintain high code quality and reliability.
Tools
GitHub Check: codecov/patch
[warning] 108-109: middleware/static/static.go#L108-L109
Added lines #L108 - L109 were not covered by tests
[warning] 114-115: middleware/static/static.go#L114-L115
Added lines #L114 - L115 were not covered by tests
@ashermyers can you check @ReneWerner87's comment |
Description
The code uses filepath.Abs to resolve both the root directory and the requested path to their absolute forms. This improves security by further preventing advanced directory traversal attacks.
Changes introduced
Absolute Path Resolution
Type of change