Why were the patch versions for vulnerability (snyk id: NYK-GOLANG-GITHUBCOMRESTICRESTSERVER-2404178) released so late?

Hello, we are a research team working on Golang. During our investigation, we found vulnerability ( Directory Traversal in github.com/restic/rest-server | Snyk) was addressed in commit 4c5077769cfbaa67cde8b2f6e2759d7818f6040f. However, we noticed that the patch version was released after long time (409 days). We are curious about the reasons behind the delayed release of the patch version, as it may hinder the efficient distribution of patches to downstream users. Could the reason be

1.Issues with testing and CI checking.

2.Other commits have to be incorporated into one release.

3.By convention, versions are not frequently released.

4.Other reasons.

Thank you for your attention, and we look forward to receiving your reply.

That’s a though question to answer as a few years have already passed since then.

But I did some digging, which partially reconstructs what happened: before answering the actual question, we first have to take another look at the vulnerability. Synk claims that it is a directory traversal attack. However, the vulnerability only allows access to a path that is prefixed with the users name. Any access outside that scope is not possible. (The security issue fixed in rest-server 0.10.0 was a path traversal vulnerability.) From looking through the CWE types, I’d rather classify the issue in rest-server 0.11.0 as CWE-842 or CWE-708.

The (copy&pasted) Proof of Concept also omits the most important part: unless there is some automation in place (not part of rest-server) that allows an attacker to create user names with slashes, then it is essentially impossible to exploit the vulnerability (unless you manage to trick an administrator into setting up a new user that has the name of an existing user just with a certain suffix). That is, when just using rest-server then Step 2 (htpasswd -B -b /tmp/restic/.htpasswd foo/config attack) can only be executed by someone who already has admin privileges on the server. Thus, exploitation essentially requires an intentional misconfiguration by an administrator, at which point it’s no longer reasonable to blame rest-server. See also the discussion in the pull request Security: Prevent loading of usernames containing a slash by juergenhoetzel · Pull Request #132 · restic/rest-server · GitHub .

In short, there was not perceived need for an immediate release of a patch version. Although, I have to admit that we could have released one earlier on.

  1. Judging from the code changes since the last release, the answer is no.
  2. No.
  3. While we don’t frequently release new rest-server versions, there’s no convention that prevents a quick security release if necessary.
  4. See above