{"id":"GO-2024-3293","summary":"Full access to the host's OS file system using osfs.FS with Router.Static in goyave.dev/goyave/v5","details":"Static file serving using router.Static and osfs.FS allows clients to access any file on the host file system using relative paths because the requested path is not sanitized and . and .. segments are accepted. The files will be returned as a response, provided the system user running the Go application has read access to the requested file.\n\nAs a workaround, use fsutil.NewEmbed(embeddedFS) from the goyave.dev/goyave/v5/util/fsutil package to serve static content using Router.Static instead of &osfs.FS. Embedded file systems are rooted to the specified directory, making it impossible to navigate outside of the developers' intended directory.","modified":"2024-12-13T20:59:35Z","published":"2024-12-13T20:59:35Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2024-3293"},"references":[{"type":"FIX","url":"https://github.com/go-goyave/goyave/commit/5836bff3efaa8a37fbd58d077b93f03e93e05edd"},{"type":"WEB","url":"https://github.com/golang/vulndb/issues/3293"}],"affected":[{"package":{"name":"goyave.dev/goyave/v5","ecosystem":"Go","purl":"pkg:golang/goyave.dev/goyave/v5"},"ranges":[{"type":"SEMVER","events":[{"introduced":"5.0.0"},{"fixed":"5.5.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["Router.ServeHTTP","Router.Static","Server.Start","cleanStaticPath","staticHandler"],"path":"goyave.dev/goyave/v5"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-3293.json"}}],"schema_version":"1.7.3"}