Skip to content

Fix for traverse issue#448

Closed
n0vad3v wants to merge 1 commit into
masterfrom
traverse-sec
Closed

Fix for traverse issue#448
n0vad3v wants to merge 1 commit into
masterfrom
traverse-sec

Conversation

@n0vad3v

@n0vad3v n0vad3v commented May 31, 2026

Copy link
Copy Markdown
Member

Summary

This PR hardens path traversal protections and improves maintainability without changing intended external behavior.

  • Strengthened local path resolution boundaries:
    • Added real-path (EvalSymlinks) boundary checks in ResolveUnderBase / RelPathUnderBase.
    • Prevents symlink-based escapes outside the configured base directory.
  • Added symlink traversal test coverage:
    • New test case for symlink escape attempts.
    • Includes conditional skip for environments where symlinks are unsupported/restricted.
  • Consolidated metadata access paths:
    • Introduced MetadataTarget with unified Read/Write/DeleteMetadataForTarget entry points.
    • Reduced duplicated local/remote branching logic across callers.
  • Updated callers to use unified metadata APIs:
    • router, remote, and prefetch now use the centralized metadata interface.
  • Added query-key stability tests:
    • Covers canonical BuildQueryKey output and getLocalId hash consistency.

Security Impact

  • Further hardens traversal defenses by covering:
    • Double-encoded ../ traversal attempts.
    • Symlink-based directory escape attempts.
  • Ensures meta=full does not leak metadata for unauthorized paths.

Why This Change

  • Existing fixes addressed encoded traversal patterns, but symlink-based escape remained an important filesystem attack surface to explicitly defend.
  • Metadata access logic had diverged into multiple call paths; this refactor reduces drift risk and improves long-term maintainability.

Test Plan

Validated with targeted regression tests:

  • go test ./helper -run 'TestResolveUnderBase|TestResolveUnderBaseBlocksSymlinkEscape|TestBuildQueryKeyStable|TestGetLocalIdUsesCanonicalQueryKey'
  • go test ./handler -run 'TestDirectoryTraversalMetadataBlocked|TestDirectoryTraversalNormalRequestBlocked|TestAllowedImageStillWorks'

Compatibility / Risk

  • No intended behavior change for valid requests.
  • Path validation is stricter by design and may reject previously tolerated but unsafe paths.

LLM Assistance Disclosure

This change involved substantial LLM-assisted development, including:

  • security hardening design and implementation support,
  • test case design and regression coverage planning,
  • metadata API consolidation/refactor guidance,
  • and PR documentation drafting.

All resulting code and behavior were reviewed and validated locally by the maintainer.

@n0vad3v n0vad3v requested a review from BennyThink May 31, 2026 02:55
@github-actions

Copy link
Copy Markdown

Report Summary

┌──────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                    Target                    │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ ghcr.io/webp-sh/webp_server_go (debian 13.5) │  debian  │        0        │    -    │
├──────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/bin/webp-server                          │ gobinary │        0        │    -    │
└──────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


@n0vad3v n0vad3v closed this Jun 1, 2026
@n0vad3v n0vad3v deleted the traverse-sec branch June 1, 2026 07:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant