GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix Improper Assets Management
in NancyFX

Executive Summary

NancyFX's flexibility in handling static content is a prime target for directory traversal if not locked down. Improper asset management occurs when the framework is configured to serve files based on unvalidated user input or when the StaticContentConventions are mapped to sensitive root directories. In a 'hacker' context, this is the bridge from a simple web request to full-blown Local File Inclusion (LFI).

The Vulnerable Pattern

VULNERABLE CODE
public class AssetModule : NancyModule
{
    public AssetModule()
    {
        // VULNERABLE: Direct concatenation of user input with file paths
        Get["/assets/{filename}"] = parameters => {
            string file = parameters.filename;
            return Response.AsFile($"wwwroot/assets/{file}");
        };
    }
}

The Secure Implementation

The vulnerability lies in the 'AsFile' wrapper accepting unsanitized strings. An attacker can pass '../../web.config' to escape the 'wwwroot' jail. The fix implements three layers of defense: 1) Canonicalization via Path.GetFullPath to resolve '..' sequences. 2) Prefix validation to ensure the resolved path remains within the intended subdirectory. 3) Moving static assets into a dedicated convention-based directory managed by the Bootstrapper, which is less prone to manual routing errors.

SECURE CODE
public class AssetModule : NancyModule
{
    public AssetModule()
    {
        Get["/assets/{filename}"] = parameters => {
            string fileName = (string)parameters.filename;
            // SECURE: Normalize path and validate against a base directory
            string baseDir = Path.GetFullPath("wwwroot/assets/");
            string requestPath = Path.GetFullPath(Path.Combine(baseDir, fileName));

        if (!requestPath.StartsWith(baseDir, StringComparison.OrdinalIgnoreCase) || !File.Exists(requestPath))
        {
            return HttpStatusCode.NotFound;
        }

        return Response.AsFile(requestPath);
    };
}


}


// Alternative: Proper Bootstrapper Configuration
protected override void ConfigureConventions(NancyConventions conventions)
{
base.ConfigureConventions(conventions);
conventions.StaticContentsConventions.Clear();
conventions.StaticContentsConventions.Add(
StaticContentConventionBuilder.AddDirectory(“assets”, “wwwroot/assets”)
);
}

System Alert • ID: 9489
Target: NancyFX API
Potential Vulnerability

Your NancyFX API might be exposed to Improper Assets Management

74% of NancyFX apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X