GHSA-3whc-qvhv-xqjp

Suggest an improvement
Source
https://github.com/advisories/GHSA-3whc-qvhv-xqjp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-3whc-qvhv-xqjp/GHSA-3whc-qvhv-xqjp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3whc-qvhv-xqjp
Aliases
  • CVE-2026-50138
Published
2026-07-01T21:56:40Z
Modified
2026-07-01T22:15:21.432067455Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags
Details

WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags

Ecosystem: Go Package: goshs.de/goshs/v2 (github.com/patrickhener/goshs) Affected: <= v2.0.9 (every release that ships the WebDAV handler)

Summary

When goshs is launched with WebDAV enabled (-w), the mode-restriction flags --read-only, --upload-only, and --no-delete are enforced only on the primary HTTP port. The WebDAV port is wired straight to golang.org/x/net/webdav.Handler with no equivalent guard, so an authenticated WebDAV client can PUT, DELETE, MKCOL, MOVE, and COPY despite the operator's stated intent.

Details

httpserver/server.go:207-238 — the WebDAV mux registers only IPWhitelistMiddleware, ServerHeaderMiddleware, and optionally BasicAuthMiddleware. There is no fs.ReadOnly || fs.UploadOnly || fs.NoDelete check on the WebDAV path. The HTTP mux in the same file (lines 134-204) does check these flags on every state-changing route.

Proof of concept

mkdir -p /tmp/r && echo secret > /tmp/r/x.txt
goshs -p 18000 -wp 18001 -w -ro -d /tmp/r -b admin:pw &

curl -u admin:pw -X PUT    http://localhost:18000/y.txt --data x   # 403  (HTTP enforces -ro)
curl -u admin:pw -X PUT    http://localhost:18001/y.txt --data x   # 201  (WebDAV writes anyway)
curl -u admin:pw -X DELETE http://localhost:18001/x.txt            # 204  (WebDAV deletes anyway)
curl -u admin:pw -X MKCOL  http://localhost:18001/pwned/           # 201  (WebDAV creates dir)

Impact

  • Integrity--read-only and --no-delete are silently downgraded to "no protection" on the WebDAV port. Any WebDAV client (curl, cadaver, Windows Explorer, Finder) can overwrite/delete files.
  • Confidentiality--upload-only is also bypassed: WebDAV GET/PROPFIND still return file contents.
  • Trust — operators using goshs -w -ro -d /srv/case-files -b reviewer:pw to deliver engagement artifacts believe the directory is immutable. It isn't.

Suggested fix

Add a small http.HandlerFunc in front of wdHandler that maps WebDAV verbs to the existing mode flags:

wdGuard := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    switch r.Method {
    case http.MethodPut, "MKCOL", "MOVE", "COPY":
        if fs.ReadOnly || fs.UploadOnly { http.Error(w, "read-only", 403); return }
    case http.MethodDelete:
        if fs.ReadOnly || fs.UploadOnly || fs.NoDelete { http.Error(w, "delete disabled", 403); return }
    case http.MethodGet, "PROPFIND", "HEAD":
        if fs.UploadOnly { http.Error(w, "upload-only", 403); return }
    }
    wdHandler.ServeHTTP(w, r)
})

Add regression tests in integration/functions.go covering each mode flag × each WebDAV verb.

Reporter: Nishant Verma. Reproduced live against goshs v2.0.9 (commit 8fc1e91) on 2026-05-27.

Database specific
{
    "github_reviewed_at": "2026-07-01T21:56:40Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "HIGH"
}
References

Affected packages

Go / goshs.de/goshs/v2

Package

Name
goshs.de/goshs/v2
View open source insights on deps.dev
Purl
pkg:golang/goshs.de/goshs/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-3whc-qvhv-xqjp/GHSA-3whc-qvhv-xqjp.json"
last_known_affected_version_range
"<= 2.0.9"