document things to reduce false positives

aldas · aldas · commit 6067257be136 · 2025-12-12T10:51:24.000+02:00
diff --git a/middleware/static.go b/middleware/static.go
@@ -174,6 +174,12 @@ func StaticWithConfig(config StaticConfig) echo.MiddlewareFunc {
 			if err != nil {
 				return
 			}
+			// Security: We use path.Clean() (not filepath.Clean()) because:
+			// 1. HTTP URLs always use forward slashes, regardless of server OS
+			// 2. path.Clean() provides platform-independent behavior for URL paths
+			// 3. The "/" prefix forces absolute path interpretation, removing ".." components
+			// 4. Backslashes are treated as literal characters (not path separators), preventing traversal
+			// See static_windows.go for Go 1.20+ filepath.Clean compatibility notes
 			name := path.Join(config.Root, path.Clean("/"+p)) // "/"+ for security
 
 			if config.IgnoreBase {
diff --git a/middleware/static_test.go b/middleware/static_test.go
@@ -100,6 +100,48 @@ func TestStatic(t *testing.T) {
 			expectCode:     http.StatusNotFound,
 			expectContains: "{\"message\":\"Not Found\"}\n",
 		},
+		{
+			name:           "nok, URL encoded path traversal (single encoding)",
+			whenURL:        "/%2e%2e%2fmiddleware/basic_auth.go",
+			expectCode:     http.StatusNotFound,
+			expectContains: "{\"message\":\"Not Found\"}\n",
+		},
+		{
+			name:           "nok, URL encoded path traversal (double encoding)",
+			whenURL:        "/%252e%252e%252fmiddleware/basic_auth.go",
+			expectCode:     http.StatusNotFound,
+			expectContains: "{\"message\":\"Not Found\"}\n",
+		},
+		{
+			name:           "nok, URL encoded path traversal (mixed encoding)",
+			whenURL:        "/%2e%2e/middleware/basic_auth.go",
+			expectCode:     http.StatusNotFound,
+			expectContains: "{\"message\":\"Not Found\"}\n",
+		},
+		{
+			name:           "nok, backslash URL encoded",
+			whenURL:        "/..%5c..%5cmiddleware/basic_auth.go",
+			expectCode:     http.StatusNotFound,
+			expectContains: "{\"message\":\"Not Found\"}\n",
+		},
+		{
+			name:           "nok, null byte injection",
+			whenURL:        "/index.html%00.jpg",
+			expectCode:     http.StatusInternalServerError,
+			expectContains: "{\"message\":\"Internal Server Error\"}\n",
+		},
+		{
+			name:           "nok, mixed backslash and forward slash traversal",
+			whenURL:        "/..\\../middleware/basic_auth.go",
+			expectCode:     http.StatusNotFound,
+			expectContains: "{\"message\":\"Not Found\"}\n",
+		},
+		{
+			name:           "nok, trailing dots (Windows edge case)",
+			whenURL:        "/../middleware/basic_auth.go...",
+			expectCode:     http.StatusNotFound,
+			expectContains: "{\"message\":\"Not Found\"}\n",
+		},
 		{
 			name:           "ok, do not serve file, when a handler took care of the request",
 			whenURL:        "/regular-handler",
