fix(security): validate sidecar paths to prevent path injection attacks

jkyberneees · jkyberneees · commit d63c75990596 · 2026-03-24T21:10:00.000+01:00
Fixes CodeQL path-injection warning in loadSidecar function. The sidecar
file paths (.gz, .br, .zst extensions) are now validated to ensure they
remain within the root directory, preventing symlink escape attacks.

- Convert loadSidecar to a method on FileHandler for access to absRoot
- Resolve symlinks in both the sidecar path and root directory
- Validate sidecar path is within root before reading
- Log rejected paths for security auditing
diff --git a/internal/handler/file.go b/internal/handler/file.go
@@ -297,9 +297,9 @@ func (h *FileHandler) serveFromDisk(ctx *fasthttp.RequestCtx, absPath, urlPath s
 	// compressible and large enough to benefit from compression.
 	if h.cfg.Compression.Enabled && h.cfg.Compression.Precompressed &&
 		compress.IsCompressible(ct) && len(data) >= h.cfg.Compression.MinSize {
-		cached.GzipData = loadSidecar(absPath + ".gz")
-		cached.BrData = loadSidecar(absPath + ".br")
-		cached.ZstdData = loadSidecar(absPath + ".zst")
+		cached.GzipData = h.loadSidecar(absPath + ".gz")
+		cached.BrData = h.loadSidecar(absPath + ".br")
+		cached.ZstdData = h.loadSidecar(absPath + ".zst")
 	}
 
 	// Generate on-the-fly gzip if no sidecar and content is compressible.
@@ -502,9 +502,44 @@ func detectContentType(path string, data []byte) string {
 }
 
 // loadSidecar attempts to read a pre-compressed sidecar file.
-// Returns nil if the sidecar does not exist or cannot be read.
-func loadSidecar(path string) []byte {
-	data, err := os.ReadFile(path)
+// Returns nil if the sidecar does not exist, cannot be read, or fails validation.
+// The path must be a validated absolute filesystem path; this function validates
+// that the sidecar file is still within the expected root directory to prevent
+// path injection attacks (e.g., symlink escape via sidecar extension).
+func (h *FileHandler) loadSidecar(path string) []byte {
+	// Validate that the sidecar path is still within the root directory.
+	// This prevents symlink escape attacks where a sidecar file could point
+	// outside the intended directory tree.
+	realPath, err := filepath.EvalSymlinks(path)
+	if err != nil {
+		// File doesn't exist or can't be resolved — safe to return nil.
+		if os.IsNotExist(err) {
+			return nil
+		}
+		// Other errors (permission denied, etc.) — treat as inaccessible.
+		return nil
+	}
+
+	// Resolve the root directory to its canonical path for comparison.
+	// This is important on platforms like macOS where /tmp → /private/tmp.
+	realRoot := h.absRoot
+	if r, err := filepath.EvalSymlinks(h.absRoot); err == nil {
+		realRoot = r
+	}
+
+	// Ensure the resolved sidecar path is still within the root directory.
+	if !strings.HasSuffix(realRoot, string(filepath.Separator)) {
+		realRoot += string(filepath.Separator)
+	}
+
+	if realPath != realRoot && !strings.HasPrefix(realPath, realRoot) {
+		// Sidecar path escapes the root — reject it.
+		log.Printf("handler: sidecar path escapes root: %q", path)
+		return nil
+	}
+
+	// Path is safe — read the file.
+	data, err := os.ReadFile(realPath)
 	if err != nil {
 		return nil
 	}
