This nginx config triggers the linter Path traversal issue warning: https://github.com/YunoHost-Apps/4get_ynh/blob/ff187dba99225c843e0f43ec414398e90cfed473/conf/nginx.conf
✘ The NGINX configuration (especially location [^/]\.php(/|$)) appears vulnerable to path traversal issues as explained in
https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/
To fix it, look at the first lines of the NGINX conf of the example app :
https://github.com/YunoHost/example_ynh/blob/main/conf/nginx.conf
However it seems a rather close to example_ynh, apart from the fact that the location with a regex path is not a child of the previous location (but I couldn't make the app work with the second location as child of the first one).
After installing the app, I tested below URLs which serve the expected HTML, so they don't seem vulnerable to path traversal at first sight:
However the CI test keeps failing because of this: https://ci-apps-dev.yunohost.org/ci/job/18590
Should the linter check need to be loosened or am I missing something?
I see in particular https://github.com/YunoHost/package_linter/blob/main/tests/test_configurations.py#L351
This nginx config triggers the linter Path traversal issue warning: https://github.com/YunoHost-Apps/4get_ynh/blob/ff187dba99225c843e0f43ec414398e90cfed473/conf/nginx.conf
However it seems a rather close to
example_ynh, apart from the fact that the location with a regex path is not a child of the previous location (but I couldn't make the app work with the second location as child of the first one).After installing the app, I tested below URLs which serve the expected HTML, so they don't seem vulnerable to path traversal at first sight:
However the CI test keeps failing because of this: https://ci-apps-dev.yunohost.org/ci/job/18590
Should the linter check need to be loosened or am I missing something?
I see in particular https://github.com/YunoHost/package_linter/blob/main/tests/test_configurations.py#L351