From 97981755c365dc8b4098ef314924051642c1ced8 Mon Sep 17 00:00:00 2001
From: Andrew Krasichkov <buglloc@yandex.ru>
Date: Tue, 6 Jun 2017 21:10:33 +0300
Subject: [PATCH] First try to implement path traversal detection (via alias)

---
 gixy/plugins/alias_traversal.py | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 gixy/plugins/alias_traversal.py

diff --git a/gixy/plugins/alias_traversal.py b/gixy/plugins/alias_traversal.py
new file mode 100644
index 0000000..71dad5f
--- /dev/null
+++ b/gixy/plugins/alias_traversal.py
@@ -0,0 +1,26 @@
+import gixy
+from gixy.plugins.plugin import Plugin
+
+
+class alias_traversal(Plugin):
+    """
+    Insecure example:
+        location /files {
+            alias /home/;
+        }
+    """
+    summary = 'Path traversal via misconfigured alias.'
+    severity = gixy.severity.HIGH
+    description = 'TODO'
+    help_url = 'https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md'
+    directives = ['alias']
+
+    def audit(self, directive):
+        for location in directive.parents:
+            if location.name != 'location':
+                continue
+            if not location.modifier or location.modifier == '^~':
+                # We need non-strict prefixed locations
+                if not location.path.endswith('/'):
+                    self.add_issue(directive=[directive, location])
+            break