StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route

Summary

When running vertx web applications that serve files using StaticHandler on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (*) then an attacker can exfiltrate any class path resource.

Details

When computing the relative path to locate the resource, in case of wildcards, the code:

https://github.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java#L83

returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized \ are not properly handled and an attacker can build a path that is valid within the classpath.

PoC

https://github.com/adrien-aubert-drovio/vertx-statichandler-windows-traversal-path-vulnerability