From 35671a97d6e7ccb426be8a6204b3d439fe367c36 Mon Sep 17 00:00:00 2001
From: Asher Myers <43706372+ashermyers@users.noreply.github.com>
Date: Tue, 20 Aug 2024 02:28:28 -0400
Subject: [PATCH 1/2] Update static.go

---
 middleware/static/static.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/middleware/static/static.go b/middleware/static/static.go
index 6cbdbd3d22..22db90562d 100644
--- a/middleware/static/static.go
+++ b/middleware/static/static.go
@@ -65,7 +65,7 @@ func New(root string, cfg ...Config) fiber.Handler {
 				GenerateIndexPages:     config.Browse,
 				AcceptByteRange:        config.ByteRange,
 				Compress:               config.Compress,
-				CompressBrotli:         config.Compress, // Brotli compression won't work without this
+				CompressBrotli:         config.Compress,
 				CompressedFileSuffixes: c.App().Config().CompressedFileSuffixes,
 				CacheDuration:          config.CacheDuration,
 				SkipCache:              config.CacheDuration < 0,
@@ -102,6 +102,19 @@ func New(root string, cfg ...Config) fiber.Handler {
 					path = append([]byte("/"), path...)
 				}
 
+				// Perform explicit path validation
+				absRoot, err := filepath.Abs(root)
+				if err != nil {
+					fctx.Response.SetStatusCode(fiber.StatusInternalServerError)
+					return nil
+				}
+
+				absPath, err := filepath.Abs(filepath.Join(absRoot, string(path)))
+				if err != nil || !strings.HasPrefix(absPath, absRoot) {
+					fctx.Response.SetStatusCode(fiber.StatusForbidden)
+					return nil
+				}
+
 				return path
 			}
 

From 63afcdfdc323c08b03fcb546bc8eba73194dce7f Mon Sep 17 00:00:00 2001
From: Asher Myers <43706372+ashermyers@users.noreply.github.com>
Date: Tue, 20 Aug 2024 02:29:20 -0400
Subject: [PATCH 2/2] Update static.go

---
 middleware/static/static.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/static/static.go b/middleware/static/static.go
index 22db90562d..d54ae1ee68 100644
--- a/middleware/static/static.go
+++ b/middleware/static/static.go
@@ -65,7 +65,7 @@ func New(root string, cfg ...Config) fiber.Handler {
 				GenerateIndexPages:     config.Browse,
 				AcceptByteRange:        config.ByteRange,
 				Compress:               config.Compress,
-				CompressBrotli:         config.Compress,
+				CompressBrotli:         config.Compress, // Brotli compression won't work without this
 				CompressedFileSuffixes: c.App().Config().CompressedFileSuffixes,
 				CacheDuration:          config.CacheDuration,
 				SkipCache:              config.CacheDuration < 0,