Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

filepath.Clean cannot be used as safe sanitizer #34938

Closed
kost opened this issue Oct 16, 2019 · 2 comments
Closed

filepath.Clean cannot be used as safe sanitizer #34938

kost opened this issue Oct 16, 2019 · 2 comments
Labels
FrozenDueToAge

Comments

@kost
Copy link

kost commented Oct 16, 2019

What version of Go are you using (go version)?

# go version
go version go1.13.1 linux/amd64

Does this issue reproduce with the latest release?

Yes. Using golang:latest

What operating system and processor architecture are you using (go env)?

go env Output
# go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build633713348=/tmp/go-build -gno-record-gcc-switches"

What did you do?

package main

import (
	"fmt"
	"path"
	"path/filepath"
)

func main() {
		basedir := "/tmp"
		fmt.Println(path.Join(basedir, filepath.Clean("../../../.../../../../../../"), "file.txt"))
		fmt.Println(path.Join(basedir, filepath.Clean("/../../../.../../../../../../"), "file.txt"))

}

https://play.golang.org/p/sbCquGUpnyc

What did you expect to see?

/tmp/file.txt
/tmp/file.txt

What did you see instead?

/file.txt
/tmp/file.txt

Seems like filepath.Clean does not clean path completely. Therefore, filepath.Clean cannot be used as safe sanitizer against LFI/doubledot/directory traversal type of attacks.
@kost
Copy link
Author

kost commented Oct 16, 2019

Although, filepath.Clean is not sanitizer it should be noted in documentation in big bold letters:
https://golang.org/pkg/path/filepath/#Clean

@ianlancetaylor
Copy link
Contributor

The documentation for Clean explains precisely what it does. The documentation does not claim that Clean is any sort of sanitizer, since it isn't one. The documentation says what it does: "Clean returns the shortest path name equivalent to path by purely lexical processing."

Therefore, filepath.Clean cannot be used as safe sanitizer against LFI/doubledot/directory traversal type of attacks.

Correct. No purely lexical function can do that.

@golang golang locked and limited conversation to collaborators Oct 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kost @ianlancetaylor @gopherbot