| id: GO-2022-0355 |
| modules: |
| - module: github.com/valyala/fasthttp |
| versions: |
| - fixed: 1.34.0 |
| vulnerable_at: 1.33.0 |
| packages: |
| - package: github.com/valyala/fasthttp |
| symbols: |
| - FS.NewRequestHandler |
| derived_symbols: |
| - AppendBrotliBytes |
| - AppendBrotliBytesLevel |
| - AppendDeflateBytes |
| - AppendDeflateBytesLevel |
| - AppendGunzipBytes |
| - AppendGzipBytes |
| - AppendGzipBytesLevel |
| - AppendHTTPDate |
| - AppendInflateBytes |
| - AppendUnbrotliBytes |
| - Args.WriteTo |
| - Client.CloseIdleConnections |
| - Client.Do |
| - Client.DoDeadline |
| - Client.DoRedirects |
| - Client.DoTimeout |
| - Client.Get |
| - Client.GetDeadline |
| - Client.GetTimeout |
| - Client.Post |
| - Cookie.AppendBytes |
| - Cookie.Cookie |
| - Cookie.Parse |
| - Cookie.ParseBytes |
| - Cookie.String |
| - Cookie.WriteTo |
| - Dial |
| - DialDualStack |
| - DialDualStackTimeout |
| - DialTimeout |
| - Do |
| - DoDeadline |
| - DoRedirects |
| - DoTimeout |
| - FSHandler |
| - FileLastModified |
| - GenerateTestCertificate |
| - Get |
| - GetDeadline |
| - GetTimeout |
| - HostClient.CloseIdleConnections |
| - HostClient.Do |
| - HostClient.DoDeadline |
| - HostClient.DoRedirects |
| - HostClient.DoTimeout |
| - HostClient.Get |
| - HostClient.GetDeadline |
| - HostClient.GetTimeout |
| - HostClient.Post |
| - LBClient.Do |
| - LBClient.DoDeadline |
| - LBClient.DoTimeout |
| - ListenAndServe |
| - ListenAndServeTLS |
| - ListenAndServeTLSEmbed |
| - ListenAndServeUNIX |
| - NewStreamReader |
| - ParseByteRange |
| - ParseHTTPDate |
| - ParseIPv4 |
| - PipelineClient.Do |
| - PipelineClient.DoDeadline |
| - PipelineClient.DoTimeout |
| - PipelineClient.PendingRequests |
| - Post |
| - Request.Body |
| - Request.BodyGunzip |
| - Request.BodyInflate |
| - Request.BodyUnbrotli |
| - Request.BodyWriteTo |
| - Request.ContinueReadBody |
| - Request.ContinueReadBodyStream |
| - Request.Host |
| - Request.MultipartForm |
| - Request.PostArgs |
| - Request.Read |
| - Request.ReadBody |
| - Request.ReadLimitBody |
| - Request.SetBodyStreamWriter |
| - Request.SetHost |
| - Request.SetHostBytes |
| - Request.String |
| - Request.SwapBody |
| - Request.URI |
| - Request.Write |
| - Request.WriteTo |
| - RequestCtx.FormFile |
| - RequestCtx.FormValue |
| - RequestCtx.Host |
| - RequestCtx.IfModifiedSince |
| - RequestCtx.MultipartForm |
| - RequestCtx.Path |
| - RequestCtx.PostArgs |
| - RequestCtx.PostBody |
| - RequestCtx.QueryArgs |
| - RequestCtx.Redirect |
| - RequestCtx.RedirectBytes |
| - RequestCtx.SendFile |
| - RequestCtx.SendFileBytes |
| - RequestCtx.SetBodyStreamWriter |
| - RequestCtx.String |
| - RequestCtx.URI |
| - RequestHeader.Add |
| - RequestHeader.AddBytesK |
| - RequestHeader.AddBytesKV |
| - RequestHeader.AddBytesV |
| - RequestHeader.Read |
| - RequestHeader.ReadTrailer |
| - RequestHeader.Set |
| - RequestHeader.SetByteRange |
| - RequestHeader.SetBytesK |
| - RequestHeader.SetBytesKV |
| - RequestHeader.SetBytesV |
| - RequestHeader.SetCanonical |
| - RequestHeader.SetReferer |
| - RequestHeader.SetRefererBytes |
| - RequestHeader.Write |
| - Response.Body |
| - Response.BodyGunzip |
| - Response.BodyInflate |
| - Response.BodyUnbrotli |
| - Response.BodyWriteTo |
| - Response.Read |
| - Response.ReadBody |
| - Response.ReadLimitBody |
| - Response.SendFile |
| - Response.SetBodyStreamWriter |
| - Response.String |
| - Response.SwapBody |
| - Response.Write |
| - Response.WriteDeflate |
| - Response.WriteDeflateLevel |
| - Response.WriteGzip |
| - Response.WriteGzipLevel |
| - Response.WriteTo |
| - ResponseHeader.Add |
| - ResponseHeader.AddBytesK |
| - ResponseHeader.AddBytesKV |
| - ResponseHeader.AddBytesV |
| - ResponseHeader.AppendBytes |
| - ResponseHeader.Cookie |
| - ResponseHeader.DelClientCookie |
| - ResponseHeader.DelClientCookieBytes |
| - ResponseHeader.Header |
| - ResponseHeader.Read |
| - ResponseHeader.ReadTrailer |
| - ResponseHeader.Set |
| - ResponseHeader.SetBytesK |
| - ResponseHeader.SetBytesKV |
| - ResponseHeader.SetBytesV |
| - ResponseHeader.SetCanonical |
| - ResponseHeader.SetContentRange |
| - ResponseHeader.SetCookie |
| - ResponseHeader.SetLastModified |
| - ResponseHeader.String |
| - ResponseHeader.Write |
| - ResponseHeader.WriteTo |
| - SaveMultipartFile |
| - Serve |
| - ServeConn |
| - ServeFile |
| - ServeFileBytes |
| - ServeFileBytesUncompressed |
| - ServeFileUncompressed |
| - ServeTLS |
| - ServeTLSEmbed |
| - Server.AppendCert |
| - Server.AppendCertEmbed |
| - Server.ListenAndServe |
| - Server.ListenAndServeTLS |
| - Server.ListenAndServeTLSEmbed |
| - Server.ListenAndServeUNIX |
| - Server.Serve |
| - Server.ServeConn |
| - Server.ServeTLS |
| - Server.ServeTLSEmbed |
| - Server.Shutdown |
| - TCPDialer.Dial |
| - TCPDialer.DialDualStack |
| - TCPDialer.DialDualStackTimeout |
| - TCPDialer.DialTimeout |
| - URI.Parse |
| - URI.Update |
| - URI.UpdateBytes |
| - URI.WriteTo |
| - WriteBrotli |
| - WriteBrotliLevel |
| - WriteDeflate |
| - WriteDeflateLevel |
| - WriteGunzip |
| - WriteGzip |
| - WriteGzipLevel |
| - WriteInflate |
| - WriteMultipartForm |
| - WriteUnbrotli |
| - bigFileReader.Read |
| - bigFileReader.WriteTo |
| - ctxLogger.Printf |
| - firstByteReader.Read |
| - flushWriter.Write |
| - fsFile.NewReader |
| - fsSmallFileReader.WriteTo |
| - hijackConn.Close |
| - hijackConn.Read |
| - perIPConn.Close |
| - perIPConnCounter.Unregister |
| - pipelineConnClient.Do |
| - pipelineConnClient.DoDeadline |
| - pipelineConnClient.PendingRequests |
| - requestStream.Read |
| - statsWriter.Write |
| - tcpKeepaliveListener.Accept |
| - workerPool.Serve |
| summary: 'TODO(https://go.dev/issue/56443): fill in summary field' |
| description: | |
| The fasthttp.FS request handler is vulnerable to directory traversal |
| attacks on Windows systems, and can serve files from outside the |
| provided root directory. |
| |
| URL path normalization does not handle Windows path separators |
| (backslashes), permitting an attacker to construct requests |
| with relative paths. |
| published: 2022-07-27T20:26:59Z |
| cves: |
| - CVE-2022-21221 |
| ghsas: |
| - GHSA-fx95-883v-4q4h |
| credits: |
| - egovorukhin |
| references: |
| - fix: https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1 |
| - web: https://github.com/valyala/fasthttp/issues/1226 |
| - web: https://github.com/valyala/fasthttp/releases/tag/v1.34.0 |
| - web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866 |