GHSA-9F3R-2VGW-M8XP

Vulnerability from github – Published: 2026-03-16 20:45 – Updated: 2026-03-30 14:00
VLAI?
Summary
File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter
Details

Description

The resourcePatchHandler in http/resource.go validates the destination path against configured access rules before the path is cleaned/normalized. The rules engine (rules/rules.go) uses literal string prefix matching (strings.HasPrefix) or regex matching against the raw path. The actual file operation (fileutils.Copy, patchAction) subsequently calls path.Clean() which resolves .. sequences, producing a different effective path than the one validated.

This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules by including .. (dot-dot) path traversal sequences in the destination query parameter of a PATCH request.

Steps to Reproduce

1. Verify the rule works normally

# This should return 403 Forbidden
curl -X PATCH \
  -H "X-Auth: <alice_jwt>" \
  "http://host/api/resources/public/test.txt?action=copy&destination=%2Frestricted%2Fcopied.txt"

2. Exploit the bypass

# This should succeed despite the deny rule
curl -X PATCH \
  -H "X-Auth: <alice_jwt>" \
  "http://host/api/resources/public/test.txt?action=copy&destination=%2Fpublic%2F..%2Frestricted%2Fcopied.txt"

3. Result

The file test.txt is copied to /restricted/copied.txt despite the deny rule for /restricted/.

Root Cause Analysis

In http/resource.go:209-257:

dst := r.URL.Query().Get("destination")       // line 212
dst, err := url.QueryUnescape(dst)             // line 214 — dst contains ".."
if !d.Check(src) || !d.Check(dst) {            // line 215 — CHECK ON UNCLEANED PATH
    return http.StatusForbidden, nil
}

In rules/rules.go:29-35:

func (r *Rule) Matches(path string) bool {
    if r.Regex {
        return r.Regexp.MatchString(path)      // regex on literal path
    }
    return strings.HasPrefix(path, r.Path)     // prefix on literal path
}

In fileutils/copy.go:12-17:

func Copy(afs afero.Fs, src, dst string, ...) error {
    if dst = path.Clean("/" + dst); dst == "" { // CLEANING HAPPENS HERE, AFTER CHECK
        return os.ErrNotExist
    }

The rules check sees /public/../restricted/copied.txt (no match for /restricted/ prefix). The file operation resolves it to /restricted/copied.txt (within the restricted path).

Secondary Issue

In the same handler, the error from url.QueryUnescape is checked after d.Check() runs (lines 214-220), meaning the rules check executes on a potentially malformed string if unescaping fails.

Impact

An authenticated user with Copy (Create) or Rename permission can write or move files into any path within their scope that is protected by deny rules. This bypasses both:

  • Prefix-based rules: strings.HasPrefix on uncleaned path misses the match
  • Regex-based rules: Standard patterns like ^/restricted/.* fail on uncleaned path

Cannot be used to:

  • Escape the user's BasePathFs scope (afero prevents this)
  • Read from restricted paths (GET handler uses cleaned r.URL.Path)

Suggested Fix

Clean the destination path before the rules check:

dst, err := url.QueryUnescape(dst)
if err != nil {
    return errToStatus(err), err
}
dst = path.Clean("/" + dst)
src = path.Clean("/" + src)
if !d.Check(src) || !d.Check(dst) {
    return http.StatusForbidden, nil
}
if dst == "/" || src == "/" {
    return http.StatusForbidden, nil
}
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.61.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.62.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T20:45:12Z",
    "nvd_published_at": "2026-03-20T00:16:17Z",
    "severity": "MODERATE"
  },
  "details": "## Description\n\nThe `resourcePatchHandler` in `http/resource.go` validates the destination path against configured access rules before the path is cleaned/normalized. The rules engine (`rules/rules.go`) uses literal string prefix matching (`strings.HasPrefix`) or regex matching against the raw path. The actual file operation (`fileutils.Copy`, `patchAction`) subsequently calls `path.Clean()` which resolves `..` sequences, producing a different effective path than the one validated.\n\nThis allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules by including `..` (dot-dot) path traversal sequences in the `destination` query parameter of a PATCH request.\n\n## Steps to Reproduce\n\n### 1. Verify the rule works normally\n\n```bash\n# This should return 403 Forbidden\ncurl -X PATCH \\\n  -H \"X-Auth: \u003calice_jwt\u003e\" \\\n  \"http://host/api/resources/public/test.txt?action=copy\u0026destination=%2Frestricted%2Fcopied.txt\"\n```\n\n### 2. Exploit the bypass\n\n```bash\n# This should succeed despite the deny rule\ncurl -X PATCH \\\n  -H \"X-Auth: \u003calice_jwt\u003e\" \\\n  \"http://host/api/resources/public/test.txt?action=copy\u0026destination=%2Fpublic%2F..%2Frestricted%2Fcopied.txt\"\n```\n\n### 3. Result\n\nThe file `test.txt` is copied to `/restricted/copied.txt` despite the deny rule for `/restricted/`.\n\n## Root Cause Analysis\n\nIn `http/resource.go:209-257`:\n\n```go\ndst := r.URL.Query().Get(\"destination\")       // line 212\ndst, err := url.QueryUnescape(dst)             // line 214 \u2014 dst contains \"..\"\nif !d.Check(src) || !d.Check(dst) {            // line 215 \u2014 CHECK ON UNCLEANED PATH\n    return http.StatusForbidden, nil\n}\n```\n\nIn `rules/rules.go:29-35`:\n\n```go\nfunc (r *Rule) Matches(path string) bool {\n    if r.Regex {\n        return r.Regexp.MatchString(path)      // regex on literal path\n    }\n    return strings.HasPrefix(path, r.Path)     // prefix on literal path\n}\n```\n\nIn `fileutils/copy.go:12-17`:\n\n```go\nfunc Copy(afs afero.Fs, src, dst string, ...) error {\n    if dst = path.Clean(\"/\" + dst); dst == \"\" { // CLEANING HAPPENS HERE, AFTER CHECK\n        return os.ErrNotExist\n    }\n```\n\nThe rules check sees `/public/../restricted/copied.txt` (no match for `/restricted/` prefix).\nThe file operation resolves it to `/restricted/copied.txt` (within the restricted path).\n\n## Secondary Issue\n\nIn the same handler, the error from `url.QueryUnescape` is checked after `d.Check()` runs (lines 214-220), meaning the rules check executes on a potentially malformed string if unescaping fails.\n\n## Impact\n\nAn authenticated user with Copy (Create) or Rename permission can write or move files into any path within their scope that is protected by deny rules. This bypasses both:\n\n- Prefix-based rules: `strings.HasPrefix` on uncleaned path misses the match\n- Regex-based rules: Standard patterns like `^/restricted/.*` fail on uncleaned path\n\nCannot be used to:\n\n- Escape the user\u0027s BasePathFs scope (afero prevents this)\n- Read from restricted paths (GET handler uses cleaned `r.URL.Path`)\n\n## Suggested Fix\n\nClean the destination path before the rules check:\n\n```go\ndst, err := url.QueryUnescape(dst)\nif err != nil {\n    return errToStatus(err), err\n}\ndst = path.Clean(\"/\" + dst)\nsrc = path.Clean(\"/\" + src)\nif !d.Check(src) || !d.Check(dst) {\n    return http.StatusForbidden, nil\n}\nif dst == \"/\" || src == \"/\" {\n    return http.StatusForbidden, nil\n}\n```",
  "id": "GHSA-9f3r-2vgw-m8xp",
  "modified": "2026-03-30T14:00:51Z",
  "published": "2026-03-16T20:45:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-9f3r-2vgw-m8xp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32758"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/4bd7d69c82163b201a987e99c0c50d7ecc6ee5f1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.62.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.