HIGH zip slipfiberapi keys

Zip Slip in Fiber with Api Keys

Scan for zip slip in fiber

Zip Slip in Fiber with Api Keys — how this specific combination creates or exposes the vulnerability

Zip Slip is a path traversal vulnerability that occurs when an application constructs file paths using user-supplied input without proper validation. In the Fiber Golang web framework, this commonly arises when handling file downloads or uploads where a filename parameter is used to build filesystem paths. Combining this with API key handling can amplify the risk: API keys are often passed via query parameters, headers, or request bodies, and if they influence file path resolution, an attacker can leverage traversal sequences (e.g., ../../../) to escape intended directories and access or overwrite sensitive files.

For example, an endpoint that uses an API key to identify a user-specific storage location may concatenate the key directly into a path. If the key or a related filename is not sanitized, a malicious payload like ../../../../etc/passwd can traverse outside the intended directory. Because API keys are high-value secrets, exposing or corrupting files that contain them can lead to privilege escalation, service impersonation, or data leakage. The vulnerability is not inherent to Fiber but emerges from insecure path construction when API key-derived values are used in filesystem operations.

In a black-box scan, middleBrick tests such scenarios by probing endpoints that accept path parameters and checking whether traversal succeeds. The tool also examines API key usage patterns, such as keys passed in headers or query strings, to determine whether they affect file system interactions. Findings often include references to the OWASP API Top 10 and can align with compliance frameworks like PCI-DSS and SOC2 when sensitive data exposure is detected.

Api Keys-Specific Remediation in Fiber — concrete code fixes

To mitigate Zip Slip in Fiber when API keys are involved, ensure that any user input used in filesystem paths is validated, normalized, and restricted to a predefined base directory. Avoid directly concatenating API keys or filenames provided by the client into paths. Instead, use a whitelist of allowed characters, enforce strict path cleaning, and resolve paths using functions that prevent directory traversal.

Below are two concrete Fiber handler examples: one vulnerable and one remediated.

Vulnerable Example

package main

import (
    "github.com/gofiber/fiber/v2"
    "io"
    "os"
    "path/filepath"
)

func downloadHandler(c *fiber.Ctx) error {
    // Vulnerable: filename and apiKey used directly in path construction
    filename := c.Query("file")
    apiKey := c.Query("api_key")
    baseDir := "/var/data/" + apiKey
    path := baseDir + "/" + filename
    file, err := os.Open(path)
    if err != nil {
        return c.SendStatus(fiber.StatusInternalServerError)
    }
    defer file.Close()
    _, err = io.Copy(c.BodyWriter(), file)
    if err != nil {
        return c.SendStatus(fiber.StatusInternalServerError)
    }
    return c.SendStatus(fiber.StatusOK)
}

In this example, an attacker can supply file=../../../etc/passwd and a valid API key to read arbitrary files. The base directory is also predictable, making enumeration easier.

Remediated Example

package main

import (
    "github.com/gofiber/fiber/v2"
    "io"
    "os"
    "path/filepath"
    "regexp"
    "strings"
)

// sanitizeFilename ensures the filename contains only safe characters.
func sanitizeFilename(name string) string {
    // Allow alphanumerics, underscores, hyphens, and dots.
    re := regexp.MustCompile(`[^a-zA-Z0-9_.-]`)
    return re.ReplaceAllString(name, "_")
}

func downloadHandler(c *fiber.Ctx) error {
    filename := c.Query("file")
    apiKey := c.Query("api_key")

    // Validate apiKey format (e.g., expected length and character set).
    if !regexp.MustCompile(`^[a-zA-Z0-9_-]{16,64}$`).MatchString(apiKey) {
        return c.Status(fiber.StatusBadRequest).SendString("invalid api_key")
    }

    cleaned := sanitizeFilename(filename)
    // Use filepath.Clean to eliminate traversal sequences.
    cleanPath := filepath.Clean("/" + cleaned)
    if strings.HasPrefix(cleanPath, "..") || cleanPath == "/" {
        return c.Status(fiber.StatusBadRequest).SendString("invalid file path")
    }

    baseDir := filepath.Clean("/var/data/" + apiKey)
    // Ensure the resolved path remains within baseDir.
    fullPath := filepath.Join(baseDir, cleanPath)
    if !strings.HasPrefix(fullPath, filepath.Clean(baseDir)+string(os.PathSeparator)) && fullPath != filepath.Clean(baseDir) {
        return c.Status(fiber.StatusForbidden).SendString("path traversal detected")
    }

    file, err := os.Open(fullPath)
    if err != nil {
        return c.SendStatus(fiber.StatusNotFound)
    }
    defer file.Close()
    _, err = io.Copy(c.BodyWriter(), file)
    if err != nil {
        return c.SendStatus(fiber.StatusInternalServerError)
    }
    return c.SendStatus(fiber.StatusOK)
}

Key remediation steps include: validating the API key format, sanitizing filenames, using filepath.Clean, and confirming the final path remains within the intended base directory. These practices reduce the attack surface for Zip Slip when API keys influence file access.

middleBrick can help identify such issues by scanning endpoints that handle API keys and file parameters, highlighting path traversal risks and providing remediation guidance aligned with OWASP API Top 10 categories.

Scan for zip slip in fiber Free API security scan

Frequently Asked Questions

Can middleware or custom validation in Fiber fully prevent Zip Slip when API keys are used?
Middleware can reduce risk by validating and sanitizing inputs early, but it must be applied consistently across all routes. Custom validation should normalize paths, reject traversal sequences, and enforce strict allowlists. Relying solely on middleware without secure path resolution in each handler may leave gaps.
How does middleBrick detect Zip Slip risks involving API keys in Fiber endpoints?
middleBrick tests endpoints by injecting traversal payloads in path-related parameters and observes whether files outside the intended directory are accessed. When API keys are passed in headers or query parameters, the scanner checks whether they affect file system operations and reports findings with remediation guidance.

Related Pages

Zip Slip in FiberLearn how Zip Slip path traversal vulnerabilities manifest in Fiber applications, how to detect them with middleBrick scZip Slip with Api KeysZip Slip in API key systems allows path traversal attacks that overwrite API keys and configuration. Learn detection andZip Slip in Fiber on CloudflareZip Slip in Fiber behind Cloudflare: how the combo exposes path traversal and how to fix it with safe extraction code.Zip Slip in Fiber on AzureUnderstand Zip Slip in Fiber on Azure with concrete examples and Azure-specific fixes. Learn how middleBrick detects patZip Slip in Fiber on DockerUnderstand Zip Slip in Fiber running inside Docker and apply Docker-specific fixes like safe extraction, non-root users,Zip Slip in Fiber on Fly IoExplore Zip Slip in Fiber on Fly Io, understand the risk, and apply concrete Go code fixes with path cleaning and validaPci Dss: Zip Slip in FiberPci Dss: Zip Slip in FiberSoc2: Zip Slip in FiberExplore Zip Slip risks in APIs built with Fiber, understand SOC 2 implications, and apply concrete code fixes to enforceIso 27001: Zip Slip in FiberUnderstand Zip Slip in Fiber through Iso 27001 controls, with secure extraction code examples and remediation guidance.Cis: Zip Slip in FiberUnderstand Zip Slip in Fiber APIs and apply concrete fixes with secure extraction patterns and path validation.Zip Slip in Fiber with DynamodbZip Slip in Fiber with DynamoDB: how path traversal arises and concrete validation fixes with Go code examples.Zip Slip in Fiber with CockroachdbUnderstand Zip Slip in Fiber with Cockroachdb, and apply concrete path validation and parameterized queries for secure d