Exposing entire filesystem through HTTP handler
Description
The application is potentially exposing the entire filesystem by mounting the root directory `/` to an HTTP handler function. Anyone who is able to access this HTTP server may be able to access any file that the HTTP server has access to. Restrict the `http.Dir` path to only a specific folder instead of the entire filesystem.
Examples
Insecure Code
go
http.Dir("/")Secure Code
go
const path = "/var/www/html/public"
fs := http.FileServer(http.Dir(path))
log.Fatal(http.ListenAndServe(":9000", fs))Remediation
Restrict the `http.Dir` path to only a specific folder instead of the entire filesystem.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0784 |
| Category | AccessControl |
| Severity | MEDIUM |
| CWE | CWE-552 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | filesystem, http handler |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |