GHSA-5wvv-q5fv-2388: hyper-staticfile's location header incorporates user input, allowing open redirect

December 30, 2022

When hyper-staticfile performs a redirect for a directory request (e.g. a request for /dir that redirects to /dir/), the Location header value was derived from user input (the request path), simply appending a slash. The intent was to perform an origin-relative redirect, but specific inputs allowed performing a scheme-relative redirect instead.

An attacker could craft a special URL that would appear to be for the correct domain, but immediately redirects to a malicious domain. Such a URL can benefit phishing attacks, for example an innocent looking link in an email.

References

github.com/advisories/GHSA-5wvv-q5fv-2388
github.com/stephank/hyper-staticfile
github.com/stephank/hyper-staticfile/commit/4db4afb811c553bc3d54a01a9985b9e6dfc5a115
github.com/stephank/hyper-staticfile/commit/f12cadc6666c6f555d29725f5bc45da2103f24ea
rustsec.org/advisories/RUSTSEC-2022-0072.html

Detect and mitigate GHSA-5wvv-q5fv-2388 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →