Go Path Traversal Read
Description
Detects path traversal vulnerabilities in Go applications where file read operations could be manipulated with user input to access files outside the intended directory structure. This could allow attackers to read sensitive files on the system by using "../" or similar directory traversal sequences.
Detection Strategy
• Checks if the code imports required Go packages like 'os', 'net/http', or 'path/filepath'
• Identifies file read operations in the code (like os.Open, ioutil.ReadFile)
• Verifies if the file path parameter comes from user-controllable input without proper sanitization
• Reports a vulnerability when user input directly influences file paths in read operations without validation
Vulnerable code example
package main
import (
"net/http"
"path/filepath"
)
func vulnerableHandler(w http.ResponseWriter, r *http.Request) {...✅ Secure code example
package main
import (
"net/http"
"path/filepath"
"strings"
)
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.