Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audit required: Exposure of directory listing using net/http.FileServer #778

Open
philipjonsen opened this issue Sep 22, 2023 · 0 comments

Comments

@philipjonsen
Copy link

Summary of the Bug

A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible.

Steps to Reproduce

Steps to reproduce the behavior:
https://github.com/shentufoundation/shentu/blob/master/app/app.go#L654-L654 -- Problematic code : staticServer := http.FileServer(statikFS)

https://github.com/shentufoundation/shentu/blob/master/simapp/simapp.go#L726-L726 -- Problematic code staticServer := http.FileServer(statikFS)

DESCRIPTION:

A directory listing is inappropriately exposed using net/http.FileServer, yielding potentially sensitive information to attackers.

BAD PRACTICE
package main

import (
"net/http"
)

func main() {
http.Handle("/", http.FileServer(http.Dir("/")))
_ = http.ListenAndServe(":3000", nil)
}


Ref:

https://docs.gitlab.com/ee/user/application_security/dast/checks/548.1.html
https://cwe.mitre.org/data/definitions/548.html

Possible fix: https://stackoverflow.com/questions/49589685/good-way-to-disable-directory-listing-with-http-fileserver-in-go

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant