Relative path traversal

• Rule ID: go_gosec_filesystem_dirtraversal
• Languages: go
• Source: dirtraversal.yml

Description

Mounting the root directory (/) in an HTTP server is a significant security risk. It potentially allows anyone with access to the HTTP service to browse and access system files, which can lead to information disclosure, data breaches, or further exploitation of the system.

Remediations

Implement the following measures to prevent exposing the entire filesystem through your web server:

✅ Serve Specific Directory

Change the http.Dir to serve files from a specific, safe directory intended for public access rather than the root directory. Ensure this directory contains only the files that are meant to be publicly accessible.

✅ Access Control

Apply appropriate permissions to the directory being served to ensure that the server process can only access the files that it's supposed to serve.

✅ Use of Configuration Files

If supported, use configuration files like .htaccess (for Apache HTTP Server) or equivalent server configuration to control access to directories.

✅ Isolate Environment

Consider running your server in a containerized or virtualized environment with strict access controls to limit the potential damage in case of a security breach.

✅ Regular Audits

Perform regular audits of the filesystem and the files being served to ensure that no sensitive information is being unintentionally exposed.

import (
    "net/http"
    "log"
)

func main() {
    // Define the specific path to a directory to be served
    const safePath = "/var/www/html/public"

    // Create a new file server handler that serves files from the safePath
    fs := http.FileServer(http.Dir(safePath))

    // Configure the server to handle requests to the root with the file server handler
    http.Handle("/", http.StripPrefix("/", fs))

    // Start the server
    log.Fatal(http.ListenAndServe(":9000", nil))
}

Resources

• Go Documentation: http package
• OWASP: Securing File Uploads
• NIST Guidelines on Securing Public Web Servers
• Docker Documentation: Use containers for isolation
• Linux man page for chmod (file permissions)

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_filesystem_dirtraversal

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_filesystem_dirtraversal