Path Traversal in Gorilla Mux with Basic Auth

Path Traversal in Gorilla Mux with Basic Auth occurs when user-controlled path segments reach file-system operations without sufficient validation, even when the endpoint is protected by Basic Authentication. Basic Auth in Gorilla Mux is typically implemented via a request header check (the Authorization header), but authentication and path handling are separate concerns. If routes are defined with a path parameter such as /files/{filename} and the handler directly concatenates that parameter into filesystem functions (for example, os.Open or ioutil.ReadFile), an attacker can supply sequences like ../../../etc/passwd to traverse directories. The presence of Basic Auth does not mitigate this; it only confirms that the request includes valid credentials, but the handler may still process malicious paths if input validation is missing.

Consider a Gorilla Mux route that serves files from a base directory. A common pattern is to extract the filename from the route variables and join it with a base path. If the join operation does not clean or restrict the resulting path, an attacker can exploit .. segments to escape the intended directory. For instance, a handler like the following is vulnerable:

// Vulnerable example
func fileHandler(baseDir string) http.HandlerFunc {
    return func(w http.ResponseWriter, r *http.Request) {
        vars := mux.Vars(r)
        filename := vars["filename"]
        path := filepath.Join(baseDir, filename) // Unsafe if baseDir lacks trailing separator or filename contains ..
        data, err := os.ReadFile(path)
        if err != nil {
            http.Error(w, "Unable to read file", http.StatusInternalServerError)
            return
        }
        w.Write(data)
    }
}

Even with Basic Auth protecting the endpoint, an authenticated user (or an attacker who obtained valid credentials) can still traverse directories if the filename is not sanitized. The authentication layer verifies identity but does not enforce authorization boundaries on file paths. Moreover, if the base directory is not constructed carefully (for example, missing a clean trailing slash), filepath.Join can produce unexpected results that allow directory escape. This combination highlights the need to treat authentication and path safety independently: Basic Auth confirms who is making the request, but the application must still validate and constrain file paths to prevent traversal.

In the context of API security scanning, such patterns are flagged because they demonstrate that authentication does not automatically prevent insecure direct object references or path manipulation. An attacker may use Basic Auth credentials (or exploit exposed endpoints) to probe directory structures, attempting sensitive files like configuration or source code. The scanner tests unauthenticated surfaces by default, but if Basic Auth is required, the presence of valid credentials does not reduce the risk of path traversal if the handler is not properly constrained.

To remediate Path Traversal in Gorilla Mux while using Basic Auth, ensure that all user-controlled path inputs are validated, restricted, and cleaned before being used in filesystem operations. Do not rely on Basic Auth for path safety; treat authentication and path handling as separate controls.

1. Use a strict allowlist and filepath.Clean

Restrict filenames to a safe set and always clean the joined path. Compare the cleaned path to ensure it remains within the intended base directory.

// Secure example with allowlist and clean check
var allowed = map[string]bool{
    "report.pdf": true,
    "readme.txt": true,
}

func secureFileHandler(baseDir string) http.HandlerFunc {
    return func(w http.ResponseWriter, r *http.Request) {
        vars := mux.Vars(r)
        filename := vars["filename"]
        if !allowed[filename] {
            http.Error(w, "file not allowed", http.StatusBadRequest)
            return
        }
        path := filepath.Join(baseDir, filename)
        cleanPath := filepath.Clean(path)
        // Ensure the resolved path stays inside baseDir
        if !strings.HasPrefix(cleanPath, filepath.Clean(baseDir)+string(os.PathSeparator)) && cleanPath != filepath.Clean(baseDir) {
            http.Error(w, "path traversal attempt", http.StatusBadRequest)
            return
        }
        data, err := os.ReadFile(cleanPath)
        if err != nil {
            http.Error(w, "unable to read file", http.StatusInternalServerError)
            return
        }
        w.Write(data)
    }
}

2. Use http.Dir and Open with context

The standard library’s http.Dir implements Open and performs its own safety checks. Combined with http.FileSystem, it can reduce the risk of path traversal. When using Basic Auth, wrap the filesystem handler after authentication checks.

// Using http.Dir for safer file serving
func fileserverWithAuth(baseDir string, next http.Handler) http.HandlerFunc {
    return func(w http.ResponseWriter, r *http.Request) {
        // Assume Basic Auth validation has already occurred in next or via middleware
        fs := http.Dir(baseDir)
        http.StripPrefix("/files/", http.FileServer(fs)).ServeHTTP(w, r)
    }
}

3. Middleware for Basic Auth and path validation

Implement a middleware that validates credentials and enforces path constraints before reaching the handler. This keeps route definitions clean and centralizes security logic.

// Basic Auth middleware with path constraints
func basicAuth(next http.HandlerFunc) http.HandlerFunc {
    return func(w http.ResponseWriter, r *http.Request) {
        const user, pass = "admin", "secret"
        user, pass, ok := r.BasicAuth()
        if !ok || user != user || pass != pass {
            w.Header().Set("WWW-Authenticate", `Basic realm="restricted"`)
            http.Error(w, "unauthorized", http.StatusUnauthorized)
            return
        }
        next.ServeHTTP(w, r)
    }
}

// Usage
mux := mux.NewRouter()
mux.HandleFunc("/files/{filename}", basicAuth(secureFileHandler("/safe/base/dir")))

By combining these practices—allowlisting, path cleaning, directory boundary checks, and middleware-based authentication—you reduce the risk of Path Traversal in Gorilla Mux without conflating authentication with file-path safety.