🐛 [Bug]: internal error on static path prefix ending with ".."

[simonbrandhof]

Bug Description

A request to a path handled by a static router generates an internal server error if the requested path matches the router "prefix" suffixed with ...

For example if the router prefix is /css, the requests to /css../* return the 500 error code.

That could be considered as a vulnerability:

• raise false-positive alerts in the monitoring system
• potential deeper vulnerabilities. The error could be a symptom of an underlying issue.

How to Reproduce

Steps to reproduce the behavior:

1. create the directory ./css
2. start the server:

func main() {
  app := fiber.New()
  app.Static("/css", "./css")
  app.Listen(":3000")
}

3. request http://localhost:3000/css../whatever. The 500 error code is returned instead of the expected 404.

Expected Behavior

The static router should always return 404 if the requested path does not exist.

A workaround is to explicitly exclude the buggy path:

func main() {
  app := fiber.New()
  app.Use("/css..", func(c *fiber.Ctx) error {
    return c.SendStatus(fiber.StatusNotFound)
  })
  app.Static("/css", "./css")
  app.Listen(":3000")
}

Fiber Version

v2.52.5

Code Snippet (optional)

No response

Checklist:

• I agree to follow Fiber's Code of Conduct.
• I have checked for existing issues that describe my problem prior to opening this one.
• I understand that improperly formatted bug reports may be closed without explanation.

[welcome]

Thanks for opening your first issue here! 🎉 Be sure to follow the issue template! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord

[gaby]

This behavior was also seen when adding more tests to #3105

[gaby]

I have tested and confirmed that this returns 404 when using Fiber v3.

@simonbrandhof You are using v2.5.x right ?

[simonbrandhof]

@gaby exact, v2.52.5