Gleam Wisp Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in the Gleam Wisp framework, specifically in versions 2.1.1 prior to 2.2.1. The issue arises in the 'serve_static' function, where improper sanitization of the request path allows for percent-encoded traversal sequences to bypass security measures. This vulnerability enables an unauthenticated attacker to read any file accessible by the application process, including sensitive data such as application source code, configuration files, secrets, and system files.

Impact

Exploitation of this vulnerability allows for arbitrary file reading, with potential access to sensitive application and system files, depending on the application's file permissions.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to a server using the Gleam Wisp framework, with the 'path-as-is' option to prevent client-side normalization. The request should include a percent-encoded path traversal sequence, such as '%2e%2e', to access files outside the intended directory.

Remediation

Users can update to Gleam Wisp version 2.2.1, which addresses the vulnerability by properly sanitizing the request path after percent-decoding. Alternatively, the fixed implementation can be copied into the codebase, replacing references to 'wisp.serve_static' with the updated version.