GHSA-h5fg-jpgr-rv9c

Описание

Description

There is a flaw in the hidden file protection feature of Vert.x Web’s StaticHandler when setIncludeHidden(false) is configured.

In the current implementation, only files whose final path segment (i.e., the file name) begins with a dot (.) are treated as “hidden” and are blocked from being served. However, this logic fails in the following cases:

• Files under hidden directories: For example, /.secret/config.txt — although .secret is a hidden directory, the file config.txt itself does not start with a dot, so it gets served.
• Real-world impact: Sensitive files placed in hidden directories like .git, .env, .aws may become publicly accessible.

As a result, the behavior does not meet the expectations set by the includeHidden=false configuration, which should ideally protect all hidden files and directories. This gap may lead to unintended exposure of sensitive information.

Steps to Reproduce

Potential Impact

1. Information Disclosure

Examples of sensitive files that could be exposed:

• .git/config: Git repository settings (e.g., remote URL, credentials)
• .env/*: Environment variables (API keys, DB credentials)
• .aws/credentials: AWS access keys
• .ssh/known_hosts: SSH host trust info
• .docker/config.json: Docker registry credentials

2. Attack Scenarios

• Attackers can guess common hidden directory names and enumerate filenames under them to access confidential data.
• Especially dangerous for .git/HEAD, .git/config, .git/objects/* — which may allow full reconstruction of source code.

3. Affected Scope

• Affected version: Vert.x Web 5.1.0-SNAPSHOT (likely earlier versions as well)
• Environments: All OSes (Windows, Linux, macOS)
• Configurations: All applications using StaticHandler.setIncludeHidden(false)