Container Escape in Fiber

Container escape in Fiber applications typically occurs through insecure file system access patterns and improper privilege handling. Since Fiber is a Go-based web framework, it inherits Go's standard library behaviors that can inadvertently expose paths outside the container's root filesystem.

A common manifestation involves path traversal vulnerabilities in file serving endpoints. Consider this problematic Fiber pattern:

app.Get("/download/", func(c *fiber.Ctx) error {
    filePath := c.Query("file")
    return c.SendFile(filePath) // Vulnerable to path traversal
})

An attacker can request /download/?file=../../etc/passwd to read files outside the intended directory. The issue compounds when combined with Fiber's static file serving:

app.Static("/public", "./public") // May expose parent directories

Without proper path sanitization, requests like /public/../../etc/passwd can traverse outside the static directory. This becomes critical in containerized environments where the host filesystem might contain sensitive configuration files or credentials.

Another Fiber-specific pattern involves improper use of Go's os/exec package for system commands:

app.Post("/run-script", func(c *fiber.Ctx) error {
    script := c.FormValue("script")
    cmd := exec.Command("bash", "-c", script) // Command injection risk
    output, _ := cmd.CombinedOutput()
    return c.SendString(string(output))
})

When this runs inside a container with elevated privileges or mounted volumes, attackers can execute commands that escape the container context, potentially accessing the host filesystem or Docker socket.

Detecting container escape vulnerabilities in Fiber applications requires examining both the application code and runtime behavior. For code analysis, look for these patterns:

// Dangerous patterns to flag:
// 1. Direct file path usage without validation
func handler(c *fiber.Ctx) error {
    path := c.Query("path")
    return c.SendFile(path) // No validation
}

// 2. Unsafe static serving
app.Static("/static", "./") // Serving from root

// 3. Command execution with user input
cmd := exec.Command("sh", "-c", userInput)

Runtime detection involves monitoring for suspicious file access patterns. Using middleBrick's black-box scanning, you can test for path traversal by sending requests like:

curl -s http://api.example.com/download?file=../../etc/passwd

middleBrick's BOLA (Broken Object Level Authorization) checks specifically test for path traversal vulnerabilities by attempting to access files outside designated directories. The scanner sends 100+ test cases including encoded path traversal sequences, null byte injections, and symbolic link attacks.

For containerized Fiber applications, middleBrick can detect when endpoints serve files from unexpected locations or when command execution endpoints are exposed. The scanner checks if the application properly restricts file access to designated directories and validates user input before executing system commands.

LLM-specific detection is particularly relevant for Fiber applications using AI features. middleBrick's AI security module tests for system prompt leakage and prompt injection attacks that could lead to container escape through manipulated AI responses.

Securing Fiber applications against container escape requires defense-in-depth approaches. Start with strict path validation:

func validatePath(baseDir, requestPath string) (string, error) {
    // Clean and validate the path
    cleanPath := filepath.Clean(requestPath)
    if cleanPath == "." || cleanPath == ".." {
        return "", errors.New("invalid path")
    }
    
    targetPath := filepath.Join(baseDir, cleanPath)
    if !strings.HasPrefix(targetPath, baseDir) {
        return "", errors.New("path traversal detected")
    }
    
    if !fileExists(targetPath) {
        return "", os.ErrNotExist
    }
    
    return targetPath, nil
}

app.Get("/download/", func(c *fiber.Ctx) error {
    baseDir := "/app/files"
    filePath := c.Query("file")
    
    targetPath, err := validatePath(baseDir, filePath)
    if err != nil {
        return c.Status(fiber.StatusForbidden).SendString("Access denied")
    }
    
    return c.SendFile(targetPath)
})

For static file serving, always specify explicit directories:

app.Static("/static", "./static", fiber.StaticOptions{
    Browse:    false,
    Index:     "index.html",
    Fallback:  "index.html",
    Extensions: []string{"html"},
})

Command execution requires even stricter controls. Use a whitelist approach:

var allowedCommands = map[string][]string{
    "ls": {"-la"},
    "cat": {"-n"},
}

app.Post("/run-command", func(c *fiber.Ctx) error {
    cmdName := c.FormValue("command")
    args := c.FormValue("args")
    
    allowedArgs, ok := allowedCommands[cmdName]
    if !ok {
        return c.Status(fiber.StatusBadRequest).SendString("Command not allowed")
    }
    
    cmd := exec.Command(cmdName, allowedArgs...)
    output, err := cmd.CombinedOutput()
    if err != nil {
        return c.Status(fiber.StatusInternalServerError).SendString(err.Error())
    }
    
    return c.SendString(string(output))
})

Container-level hardening is equally important. Run Fiber applications as non-root users, avoid mounting unnecessary volumes, and use read-only filesystems where possible. Implement proper user namespaces and seccomp profiles to restrict system calls.

For comprehensive security, integrate middleBrick into your CI/CD pipeline. The GitHub Action can automatically scan your Fiber API endpoints before deployment, failing builds if container escape vulnerabilities are detected. This ensures security validation happens consistently across all environments.