Fix Improper Assets Management in Spiral

Improper Asset Management in Spiral frameworks often manifests through directory traversal or the accidental exposure of sensitive internal files (.env, logs, source code) via misconfigured StaticFilesMiddleware or improper path resolution. An attacker can exploit this to map the application's internal structure or exfiltrate secrets. Hardening requires strict path sandboxing and ensuring the web server root is isolated to the /public directory.

The Vulnerable Pattern

// app/src/Endpoint/Web/AssetController.php
public function getAsset(string $path): ResponseInterface
{
    // VULNERABLE: Direct concatenation allows directory traversal (../../.env)
    $file = $this->directories->get('root') . 'assets/' . $path;
return new BinaryResponse($file);
}

The Secure Implementation

The vulnerability lies in trusting user-supplied pathing to resolve local filesystem resources. By injecting '../' sequences, an attacker can escape the intended 'assets' folder. The fix implements two layers of defense: 1) Using basename() to strip directory modifiers, and 2) Re-anchoring the search path to the 'public' directory rather than the 'root' directory. Additionally, ensure the Spiral StaticFilesMiddleware is configured with a strict 'allow' list of extensions to prevent serving .php or .log files as static content.

// app/src/Endpoint/Web/AssetController.php
public function getAsset(string $path): ResponseInterface
{
    // SECURE: Use basename() to prevent traversal and restrict to public directory
    $safeName = basename($path);
    $file = $this->directories->get('public') . 'assets/' . $safeName;
if (!file_exists($file)) {
    throw new NotFoundException('Asset not found');
}

return new BinaryResponse($file);
}