[SECURITY] Prevent Path Traversal in website_handlers #15

New issue

Open

opened 2026-02-14 21:21:21 +00:00 by thabeta · 0 comments

thabeta commented 2026-02-14 21:21:21 +00:00

Owner

Copy link

The server allows mounting and serving content via /website/:website_hash/*path (implemented in src/server/website_handlers.rs).

Risk: Without strict path normalization and checking, an attacker could provide a path containing .. to escape the intended flist root and read arbitrary files from the storage backend.

Proposed Fix: Ensure all paths are normalized and verified to reside within the intended directory subtree before processing.

The server allows mounting and serving content via `/website/:website_hash/*path` (implemented in `src/server/website_handlers.rs`). **Risk:** Without strict path normalization and checking, an attacker could provide a path containing `..` to escape the intended flist root and read arbitrary files from the storage backend. **Proposed Fix:** Ensure all paths are normalized and verified to reside within the intended directory subtree before processing.

rawdaGastan self-assigned this 2026-02-16 07:26:44 +00:00

rawdaGastan referenced this issue 2026-02-16 13:38:13 +00:00

development_bugs #24

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

development

feature/workspace-restructuring

development_consistent_bugs

development_bugs

main

develop_buildah

develop_xmon

main_rhai_bindings

v0.0.1

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

rawdaGastan

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

geomind_code/my_fs#15

No description provided.