Fix path traversal issue on static files

Before this commit, it is possible to do path traversals with static files. In `StaticUtil` (`StaticEndpoints.scala`), the `ctx.remainingPathSegments` is not properly sanitized and is priorly decoded in `Main.scala`. Therefore, if a static endpoint has a remaining path segment having `/` (e.g. if a client sends a `static/..%2F/hi.txt`), `filter` will fail to filter and the path `static/../hi.txt` will be returned, which should be prohibited.
com-lihaoyi · Dec 27, 2024 · 68c2e4b · 68c2e4b
1 parent 8b598f7
commit 68c2e4b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/cask/src/cask/endpoints/StaticEndpoints.scala b/cask/src/cask/endpoints/StaticEndpoints.scala
@@ -5,7 +5,7 @@ import cask.model.Request
 object StaticUtil{
   def makePathAndContentType(t: String, ctx: Request) = {
     val leadingSlash = if (t.startsWith("/")) "/" else ""
-    val path = leadingSlash + (cask.internal.Util.splitPath(t) ++ ctx.remainingPathSegments)
+    val path = leadingSlash + (cask.internal.Util.splitPath(t) ++ ctx.remainingPathSegments.flatMap(cask.internal.Util.splitPath))
       .filter(s => s != "." && s != "..")
       .mkString("/")
     val contentType = java.nio.file.Files.probeContentType(java.nio.file.Paths.get(path))