Relative path traversal
- Rule ID: go_gosec_filesystem_dirtraversal
- Languages: go
- Source: dirtraversal.yml
Description
Mounting the root directory (/
) in an HTTP server is a significant security risk. It potentially allows anyone with access to the HTTP service to browse and access system files, which can lead to information disclosure, data breaches, or further exploitation of the system.
Remediations
Implement the following measures to prevent exposing the entire filesystem through your web server:
✅ Serve Specific Directory
Change the http.Dir
to serve files from a specific, safe directory intended for public access rather than the root directory. Ensure this directory contains only the files that are meant to be publicly accessible.
✅ Access Control
Apply appropriate permissions to the directory being served to ensure that the server process can only access the files that it's supposed to serve.
✅ Use of Configuration Files
If supported, use configuration files like .htaccess
(for Apache HTTP Server) or equivalent server configuration to control access to directories.
✅ Isolate Environment
Consider running your server in a containerized or virtualized environment with strict access controls to limit the potential damage in case of a security breach.
✅ Regular Audits
Perform regular audits of the filesystem and the files being served to ensure that no sensitive information is being unintentionally exposed.
import (
"net/http"
"log"
)
func main() {
// Define the specific path to a directory to be served
const safePath = "/var/www/html/public"
// Create a new file server handler that serves files from the safePath
fs := http.FileServer(http.Dir(safePath))
// Configure the server to handle requests to the root with the file server handler
http.Handle("/", http.StripPrefix("/", fs))
// Start the server
log.Fatal(http.ListenAndServe(":9000", nil))
}
Resources
- Go Documentation: http package
- OWASP: Securing File Uploads
- NIST Guidelines on Securing Public Web Servers
- Docker Documentation: Use containers for isolation
- Linux man page for chmod (file permissions)
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_gosec_filesystem_dirtraversal
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_gosec_filesystem_dirtraversal
Ready to take the next step? Learn more about Bearer Cloud.