Usage of Root directory mounting

  • Rule ID: go_gosec_filesystem_dirtraversal
  • Languages: go
  • Source: dirtraversal.yml

Description

Mounting the root directory (/) in an HTTP server is a significant security risk. It potentially allows anyone with access to the HTTP service to browse and access system files, which can lead to information disclosure, data breaches, or further exploitation of the system.

Remediations

Implement the following measures to prevent exposing the entire filesystem through your web server:

✅ Serve Specific Directory

Change the http.Dir to serve files from a specific, safe directory intended for public access rather than the root directory. Ensure this directory contains only the files that are meant to be publicly accessible.

✅ Access Control

Apply appropriate permissions to the directory being served to ensure that the server process can only access the files that it's supposed to serve.

✅ Use of Configuration Files

If supported, use configuration files like .htaccess (for Apache HTTP Server) or equivalent server configuration to control access to directories.

✅ Isolate Environment

Consider running your server in a containerized or virtualized environment with strict access controls to limit the potential damage in case of a security breach.

✅ Regular Audits

Perform regular audits of the filesystem and the files being served to ensure that no sensitive information is being unintentionally exposed.

import (
"net/http"
"log"
)

func main() {
// Define the specific path to a directory to be served
const safePath = "/var/www/html/public"

// Create a new file server handler that serves files from the safePath
fs := http.FileServer(http.Dir(safePath))

// Configure the server to handle requests to the root with the file server handler
http.Handle("/", http.StripPrefix("/", fs))

// Start the server
log.Fatal(http.ListenAndServe(":9000", nil))
}

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_filesystem_dirtraversal

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_filesystem_dirtraversal