🐛 [Bug]: internal error on static path prefix ending with ".." #3238
Description
Bug Description
A request to a path handled by a static router generates an internal server error if the requested path matches the router "prefix" suffixed with ...
For example if the router prefix is /css, the requests to /css../* return the 500 error code.
That could be considered as a vulnerability:
- raise false-positive alerts in the monitoring system
- potential deeper vulnerabilities. The error could be a symptom of an underlying issue.
How to Reproduce
Steps to reproduce the behavior:
- create the directory
./css - start the server:
func main() {
app := fiber.New()
app.Static("/css", "./css")
app.Listen(":3000")
}- request
http://localhost:3000/css../whatever. The 500 error code is returned instead of the expected 404.
Expected Behavior
The static router should always return 404 if the requested path does not exist.
A workaround is to explicitly exclude the buggy path:
func main() {
app := fiber.New()
app.Use("/css..", func(c *fiber.Ctx) error {
return c.SendStatus(fiber.StatusNotFound)
})
app.Static("/css", "./css")
app.Listen(":3000")
}Fiber Version
v2.52.5
Code Snippet (optional)
No response
Checklist:
- I agree to follow Fiber's Code of Conduct.
- I have checked for existing issues that describe my problem prior to opening this one.
- I understand that improperly formatted bug reports may be closed without explanation.