Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

path/filepath: Walk/WalkDir susceptible to symlink race #70007

Open
neild opened this issue Oct 23, 2024 · 1 comment
Open

path/filepath: Walk/WalkDir susceptible to symlink race #70007

neild opened this issue Oct 23, 2024 · 1 comment
Assignees
@neild
Labels
Security

Comments

@neild
Copy link
Contributor

neild commented Oct 23, 2024

The filepath.Walk and filepath.WalkDir functions are documented as not following symbolic links.

Both these functions are susceptible to a TOCTOU (time of check/time of use) race condition where a portion of the path being walked is replaced with a symbolic link while the walk is in progress.

The impact of this race condition is either mitigated or exacerbated (depending on your perspective) by the fact that the Walk/WalkDir API is fundamentally subject to TOCTOU races: Walk/WalkDir provides the names of files to a WalkFunc/WalkDirFunc, but the file may be replaced in between the WalkFunc/WalkDIrFunc being invoked and making use of the file name. This fundamental raciness means that a WalkFunc/WalkDirFunc that needs to defend against symlink traversal must use a traversal-resistant API to access files, such as github.com/google/safeopen or the proposed os.Root (#67002). Using a traversal-resistant file API will also defend against races in Walk/WalkDir itself.

Because of the inherent raciness of the Walk/WalkDir API, and the fact that fixing the TOCTOU vulnerability requires non-trivial implementation changes, we are classifying this as a PUBLIC track vulnerability.

This has been assigned CVE-2024-8244.
@neild neild added the Security label Oct 23, 2024
@neild neild self-assigned this Oct 23, 2024
@seankhliao seankhliao changed the title filepath: Walk/WalkDir susceptible to symlink race path/filepath: Walk/WalkDir susceptible to symlink race Oct 23, 2024
@adonovan
Copy link
Member

adonovan commented Oct 24, 2024
edited
Loading

The GNU find command (last I looked) used chdir and cwd-relative operations for traversal, I assume because of some combination of (a) it being faster because it avoids repeatedly parsing the name of the enclosing directory in the kernel's dcache layer, and (b) it avoids the TOCTTOU problem you describe. Now that we have fd-relative operations (openat, etc) one could write a variant of WalkDir that resolves every directory name at most once. I wonder how fast it would be.

Not that the world was clamoring for yet another version of WalkDir...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@neild @adonovan