Skip to content

Fix staticmw#2891

Merged
aldas merged 3 commits intolabstack:masterfrom
aldas:fix_staticmw
Feb 6, 2026
Merged

Fix staticmw#2891
aldas merged 3 commits intolabstack:masterfrom
aldas:fix_staticmw

Conversation

@aldas
Copy link
Contributor

@aldas aldas commented Feb 6, 2026
edited
Loading

Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by @shblue21.

This applies to cases when:

  • Windows is used as OS
  • middleware.StaticConfig.Filesystem is nil (default)
  • echo.Filesystem is has not been set explicitly (default)

aldas added 2 commits February 6, 2026 12:27
@aldas
Fix directory traversal vulnerability under Windows in Static middlew…
88d975a 
…are when default Echo filesytem is used (effectively `middleware.StaticConfig{Filesystem: nil}`)
@aldas
Fix directory traversal vulnerability under Windows in Static middlew…
6c16259 
…are when default Echo filesytem is used (effectively `middleware.StaticConfig{Filesystem: nil}`)
@codecov
Copy link

codecov bot commented Feb 6, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 76.47059% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.92%. Comparing base (0954d6e) to head (48f25a6).
⚠️ Report is 8 commits behind head on master.

Files with missing lines Patch % Lines
middleware/static.go 72.00% 3 Missing and 4 partials ⚠️
middleware/static_other.go 85.71% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #2891      +/-   ##
==========================================
- Coverage   93.02%   92.92%   -0.10%     
==========================================
  Files          43       43              
  Lines        4456     4480      +24     
==========================================
+ Hits         4145     4163      +18     
- Misses        194      197       +3     
- Partials      117      120       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@aldas aldas merged commit b1d4430 into labstack:master Feb 6, 2026
6 of 7 checks passed
@aldas
Copy link
Contributor Author

aldas commented Feb 6, 2026
edited
Loading

This is a major f*ckup.

We have tests for this same thing for 5+ years (from latest vuln) but in tests we created new filesystem and did not use default one. Default one can not access _fixtures folder when tests are run in middlewares folder and to get tests run we created one os.DirFS("../").

This was introduced in first v5 proposal branch in ~2021.10

@aldas aldas deleted the fix_staticmw branch February 6, 2026 13:31
@shblue21
Copy link

shblue21 commented Feb 9, 2026

Thanks for maintaining Echo I use it a lot and really appreciate the work.
In my experience it’s one of the fastest-performing Go web frameworks.

Thanks for looking into this quickly and the transparency here.
Windows + default filesystem behavior is a tricky edge case, and I appreciate you addressing it promptly.
I’m glad this is fixed in v5.0.3, and I appreciate you coordinating the advisory/CVE process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aldas @shblue21