Usage of Root directory mounting

• Rule ID: go_gosec_filesystem_dirtraversal
• Languages: go
• Source: dirtraversal.yml

Description

Mounting the root directory (/) on an HTTP server exposes a significant security risk. This setup could allow unauthorized individuals to access and browse system files, potentially leading to information disclosure, data breaches, or further system exploitation.

Remediations

• Do not mount the root directory as the web server's root. Doing so would make the entire filesystem accessible over the web.
• Do serve files from a specific directory designed for public access. Ensure this directory only contains files intended for public viewing.
• Do apply strict permissions to the directory being served. This ensures the server process accesses only the files it's meant to serve.
• Do utilize server configuration files, such as .htaccess for Apache HTTP Server, to control access to directories if your server supports it.
• Do consider isolating your server environment using containerization or virtualization techniques. This limits potential damage in case of a security breach by enforcing strict access controls.
• Do conduct regular audits of your filesystem and the files your server is hosting. This helps ensure no sensitive information is accidentally exposed.

References

• Go Documentation: http package
• OWASP: Securing File Uploads
• NIST Guidelines on Securing Public Web Servers
• Docker Documentation: Use containers for isolation
• Linux man page for chmod (file permissions)

Associated CWE

• CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_filesystem_dirtraversal

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_filesystem_dirtraversal