blob: 84862a54f50f64f663fcd10f8788447a454e747f [file] [log] [blame]
id: GO-2022-0355
modules:
- module: github.com/valyala/fasthttp
versions:
- fixed: 1.34.0
vulnerable_at: 1.33.0
packages:
- package: github.com/valyala/fasthttp
symbols:
- FS.NewRequestHandler
derived_symbols:
- AppendBrotliBytes
- AppendBrotliBytesLevel
- AppendDeflateBytes
- AppendDeflateBytesLevel
- AppendGunzipBytes
- AppendGzipBytes
- AppendGzipBytesLevel
- AppendHTTPDate
- AppendInflateBytes
- AppendUnbrotliBytes
- Args.WriteTo
- Client.CloseIdleConnections
- Client.Do
- Client.DoDeadline
- Client.DoRedirects
- Client.DoTimeout
- Client.Get
- Client.GetDeadline
- Client.GetTimeout
- Client.Post
- Cookie.AppendBytes
- Cookie.Cookie
- Cookie.Parse
- Cookie.ParseBytes
- Cookie.String
- Cookie.WriteTo
- Dial
- DialDualStack
- DialDualStackTimeout
- DialTimeout
- Do
- DoDeadline
- DoRedirects
- DoTimeout
- FSHandler
- FileLastModified
- GenerateTestCertificate
- Get
- GetDeadline
- GetTimeout
- HostClient.CloseIdleConnections
- HostClient.Do
- HostClient.DoDeadline
- HostClient.DoRedirects
- HostClient.DoTimeout
- HostClient.Get
- HostClient.GetDeadline
- HostClient.GetTimeout
- HostClient.Post
- LBClient.Do
- LBClient.DoDeadline
- LBClient.DoTimeout
- ListenAndServe
- ListenAndServeTLS
- ListenAndServeTLSEmbed
- ListenAndServeUNIX
- NewStreamReader
- ParseByteRange
- ParseHTTPDate
- ParseIPv4
- PipelineClient.Do
- PipelineClient.DoDeadline
- PipelineClient.DoTimeout
- PipelineClient.PendingRequests
- Post
- Request.Body
- Request.BodyGunzip
- Request.BodyInflate
- Request.BodyUnbrotli
- Request.BodyWriteTo
- Request.ContinueReadBody
- Request.ContinueReadBodyStream
- Request.Host
- Request.MultipartForm
- Request.PostArgs
- Request.Read
- Request.ReadBody
- Request.ReadLimitBody
- Request.SetBodyStreamWriter
- Request.SetHost
- Request.SetHostBytes
- Request.String
- Request.SwapBody
- Request.URI
- Request.Write
- Request.WriteTo
- RequestCtx.FormFile
- RequestCtx.FormValue
- RequestCtx.Host
- RequestCtx.IfModifiedSince
- RequestCtx.MultipartForm
- RequestCtx.Path
- RequestCtx.PostArgs
- RequestCtx.PostBody
- RequestCtx.QueryArgs
- RequestCtx.Redirect
- RequestCtx.RedirectBytes
- RequestCtx.SendFile
- RequestCtx.SendFileBytes
- RequestCtx.SetBodyStreamWriter
- RequestCtx.String
- RequestCtx.URI
- RequestHeader.Add
- RequestHeader.AddBytesK
- RequestHeader.AddBytesKV
- RequestHeader.AddBytesV
- RequestHeader.Read
- RequestHeader.ReadTrailer
- RequestHeader.Set
- RequestHeader.SetByteRange
- RequestHeader.SetBytesK
- RequestHeader.SetBytesKV
- RequestHeader.SetBytesV
- RequestHeader.SetCanonical
- RequestHeader.SetReferer
- RequestHeader.SetRefererBytes
- RequestHeader.Write
- Response.Body
- Response.BodyGunzip
- Response.BodyInflate
- Response.BodyUnbrotli
- Response.BodyWriteTo
- Response.Read
- Response.ReadBody
- Response.ReadLimitBody
- Response.SendFile
- Response.SetBodyStreamWriter
- Response.String
- Response.SwapBody
- Response.Write
- Response.WriteDeflate
- Response.WriteDeflateLevel
- Response.WriteGzip
- Response.WriteGzipLevel
- Response.WriteTo
- ResponseHeader.Add
- ResponseHeader.AddBytesK
- ResponseHeader.AddBytesKV
- ResponseHeader.AddBytesV
- ResponseHeader.AppendBytes
- ResponseHeader.Cookie
- ResponseHeader.DelClientCookie
- ResponseHeader.DelClientCookieBytes
- ResponseHeader.Header
- ResponseHeader.Read
- ResponseHeader.ReadTrailer
- ResponseHeader.Set
- ResponseHeader.SetBytesK
- ResponseHeader.SetBytesKV
- ResponseHeader.SetBytesV
- ResponseHeader.SetCanonical
- ResponseHeader.SetContentRange
- ResponseHeader.SetCookie
- ResponseHeader.SetLastModified
- ResponseHeader.String
- ResponseHeader.Write
- ResponseHeader.WriteTo
- SaveMultipartFile
- Serve
- ServeConn
- ServeFile
- ServeFileBytes
- ServeFileBytesUncompressed
- ServeFileUncompressed
- ServeTLS
- ServeTLSEmbed
- Server.AppendCert
- Server.AppendCertEmbed
- Server.ListenAndServe
- Server.ListenAndServeTLS
- Server.ListenAndServeTLSEmbed
- Server.ListenAndServeUNIX
- Server.Serve
- Server.ServeConn
- Server.ServeTLS
- Server.ServeTLSEmbed
- Server.Shutdown
- TCPDialer.Dial
- TCPDialer.DialDualStack
- TCPDialer.DialDualStackTimeout
- TCPDialer.DialTimeout
- URI.Parse
- URI.Update
- URI.UpdateBytes
- URI.WriteTo
- WriteBrotli
- WriteBrotliLevel
- WriteDeflate
- WriteDeflateLevel
- WriteGunzip
- WriteGzip
- WriteGzipLevel
- WriteInflate
- WriteMultipartForm
- WriteUnbrotli
- bigFileReader.Read
- bigFileReader.WriteTo
- ctxLogger.Printf
- firstByteReader.Read
- flushWriter.Write
- fsFile.NewReader
- fsSmallFileReader.WriteTo
- hijackConn.Close
- hijackConn.Read
- perIPConn.Close
- perIPConnCounter.Unregister
- pipelineConnClient.Do
- pipelineConnClient.DoDeadline
- pipelineConnClient.PendingRequests
- requestStream.Read
- statsWriter.Write
- tcpKeepaliveListener.Accept
- workerPool.Serve
summary: Path traversal in github.com/valyala/fasthttp
description: |-
The fasthttp.FS request handler is vulnerable to directory traversal attacks on
Windows systems, and can serve files from outside the provided root directory.
URL path normalization does not handle Windows path separators (backslashes),
permitting an attacker to construct requests with relative paths.
published: 2022-07-27T20:26:59Z
cves:
- CVE-2022-21221
ghsas:
- GHSA-fx95-883v-4q4h
credits:
- egovorukhin
references:
- fix: https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1
- web: https://github.com/valyala/fasthttp/issues/1226
- web: https://github.com/valyala/fasthttp/releases/tag/v1.34.0
- web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866
review_status: REVIEWED