id: GO-2022-0355
modules:
    - module: github.com/valyala/fasthttp
      versions:
        - fixed: 1.34.0
      vulnerable_at: 1.33.0
      packages:
        - package: github.com/valyala/fasthttp
          symbols:
            - FS.NewRequestHandler
          derived_symbols:
            - AppendBrotliBytes
            - AppendBrotliBytesLevel
            - AppendDeflateBytes
            - AppendDeflateBytesLevel
            - AppendGunzipBytes
            - AppendGzipBytes
            - AppendGzipBytesLevel
            - AppendHTTPDate
            - AppendInflateBytes
            - AppendUnbrotliBytes
            - Args.WriteTo
            - Client.CloseIdleConnections
            - Client.Do
            - Client.DoDeadline
            - Client.DoRedirects
            - Client.DoTimeout
            - Client.Get
            - Client.GetDeadline
            - Client.GetTimeout
            - Client.Post
            - Cookie.AppendBytes
            - Cookie.Cookie
            - Cookie.Parse
            - Cookie.ParseBytes
            - Cookie.String
            - Cookie.WriteTo
            - Dial
            - DialDualStack
            - DialDualStackTimeout
            - DialTimeout
            - Do
            - DoDeadline
            - DoRedirects
            - DoTimeout
            - FSHandler
            - FileLastModified
            - GenerateTestCertificate
            - Get
            - GetDeadline
            - GetTimeout
            - HostClient.CloseIdleConnections
            - HostClient.Do
            - HostClient.DoDeadline
            - HostClient.DoRedirects
            - HostClient.DoTimeout
            - HostClient.Get
            - HostClient.GetDeadline
            - HostClient.GetTimeout
            - HostClient.Post
            - LBClient.Do
            - LBClient.DoDeadline
            - LBClient.DoTimeout
            - ListenAndServe
            - ListenAndServeTLS
            - ListenAndServeTLSEmbed
            - ListenAndServeUNIX
            - NewStreamReader
            - ParseByteRange
            - ParseHTTPDate
            - ParseIPv4
            - PipelineClient.Do
            - PipelineClient.DoDeadline
            - PipelineClient.DoTimeout
            - PipelineClient.PendingRequests
            - Post
            - Request.Body
            - Request.BodyGunzip
            - Request.BodyInflate
            - Request.BodyUnbrotli
            - Request.BodyWriteTo
            - Request.ContinueReadBody
            - Request.ContinueReadBodyStream
            - Request.Host
            - Request.MultipartForm
            - Request.PostArgs
            - Request.Read
            - Request.ReadBody
            - Request.ReadLimitBody
            - Request.SetBodyStreamWriter
            - Request.SetHost
            - Request.SetHostBytes
            - Request.String
            - Request.SwapBody
            - Request.URI
            - Request.Write
            - Request.WriteTo
            - RequestCtx.FormFile
            - RequestCtx.FormValue
            - RequestCtx.Host
            - RequestCtx.IfModifiedSince
            - RequestCtx.MultipartForm
            - RequestCtx.Path
            - RequestCtx.PostArgs
            - RequestCtx.PostBody
            - RequestCtx.QueryArgs
            - RequestCtx.Redirect
            - RequestCtx.RedirectBytes
            - RequestCtx.SendFile
            - RequestCtx.SendFileBytes
            - RequestCtx.SetBodyStreamWriter
            - RequestCtx.String
            - RequestCtx.URI
            - RequestHeader.Add
            - RequestHeader.AddBytesK
            - RequestHeader.AddBytesKV
            - RequestHeader.AddBytesV
            - RequestHeader.Read
            - RequestHeader.ReadTrailer
            - RequestHeader.Set
            - RequestHeader.SetByteRange
            - RequestHeader.SetBytesK
            - RequestHeader.SetBytesKV
            - RequestHeader.SetBytesV
            - RequestHeader.SetCanonical
            - RequestHeader.SetReferer
            - RequestHeader.SetRefererBytes
            - RequestHeader.Write
            - Response.Body
            - Response.BodyGunzip
            - Response.BodyInflate
            - Response.BodyUnbrotli
            - Response.BodyWriteTo
            - Response.Read
            - Response.ReadBody
            - Response.ReadLimitBody
            - Response.SendFile
            - Response.SetBodyStreamWriter
            - Response.String
            - Response.SwapBody
            - Response.Write
            - Response.WriteDeflate
            - Response.WriteDeflateLevel
            - Response.WriteGzip
            - Response.WriteGzipLevel
            - Response.WriteTo
            - ResponseHeader.Add
            - ResponseHeader.AddBytesK
            - ResponseHeader.AddBytesKV
            - ResponseHeader.AddBytesV
            - ResponseHeader.AppendBytes
            - ResponseHeader.Cookie
            - ResponseHeader.DelClientCookie
            - ResponseHeader.DelClientCookieBytes
            - ResponseHeader.Header
            - ResponseHeader.Read
            - ResponseHeader.ReadTrailer
            - ResponseHeader.Set
            - ResponseHeader.SetBytesK
            - ResponseHeader.SetBytesKV
            - ResponseHeader.SetBytesV
            - ResponseHeader.SetCanonical
            - ResponseHeader.SetContentRange
            - ResponseHeader.SetCookie
            - ResponseHeader.SetLastModified
            - ResponseHeader.String
            - ResponseHeader.Write
            - ResponseHeader.WriteTo
            - SaveMultipartFile
            - Serve
            - ServeConn
            - ServeFile
            - ServeFileBytes
            - ServeFileBytesUncompressed
            - ServeFileUncompressed
            - ServeTLS
            - ServeTLSEmbed
            - Server.AppendCert
            - Server.AppendCertEmbed
            - Server.ListenAndServe
            - Server.ListenAndServeTLS
            - Server.ListenAndServeTLSEmbed
            - Server.ListenAndServeUNIX
            - Server.Serve
            - Server.ServeConn
            - Server.ServeTLS
            - Server.ServeTLSEmbed
            - Server.Shutdown
            - TCPDialer.Dial
            - TCPDialer.DialDualStack
            - TCPDialer.DialDualStackTimeout
            - TCPDialer.DialTimeout
            - URI.Parse
            - URI.Update
            - URI.UpdateBytes
            - URI.WriteTo
            - WriteBrotli
            - WriteBrotliLevel
            - WriteDeflate
            - WriteDeflateLevel
            - WriteGunzip
            - WriteGzip
            - WriteGzipLevel
            - WriteInflate
            - WriteMultipartForm
            - WriteUnbrotli
            - bigFileReader.Read
            - bigFileReader.WriteTo
            - ctxLogger.Printf
            - firstByteReader.Read
            - flushWriter.Write
            - fsFile.NewReader
            - fsSmallFileReader.WriteTo
            - hijackConn.Close
            - hijackConn.Read
            - perIPConn.Close
            - perIPConnCounter.Unregister
            - pipelineConnClient.Do
            - pipelineConnClient.DoDeadline
            - pipelineConnClient.PendingRequests
            - requestStream.Read
            - statsWriter.Write
            - tcpKeepaliveListener.Accept
            - workerPool.Serve
summary: Path traversal in github.com/valyala/fasthttp
description: |-
    The fasthttp.FS request handler is vulnerable to directory traversal attacks on
    Windows systems, and can serve files from outside the provided root directory.

    URL path normalization does not handle Windows path separators (backslashes),
    permitting an attacker to construct requests with relative paths.
published: 2022-07-27T20:26:59Z
cves:
    - CVE-2022-21221
ghsas:
    - GHSA-fx95-883v-4q4h
credits:
    - egovorukhin
references:
    - fix: https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1
    - web: https://github.com/valyala/fasthttp/issues/1226
    - web: https://github.com/valyala/fasthttp/releases/tag/v1.34.0
    - web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866