Go Path Traversal Open File
Description
Detects potential path traversal vulnerabilities in Go code where os.OpenFile is called with user-controlled input. This could allow attackers to access arbitrary files outside the intended directory by manipulating file paths with "../" sequences or absolute paths.
Detection Strategy
• Confirms the Go 'os' package is imported in the source code
• Identifies calls to os.OpenFile function
• Verifies that the file path parameter passed to os.OpenFile contains or is derived from user input
• Reports a vulnerability when user-controlled data flows into the file path argument without proper sanitization
Vulnerable code example
package main
import (
"net/http"
"os"
)
func handleFile(w http.ResponseWriter, r *http.Request) {...✅ Secure code example
package main
import (
"net/http"
"os"
"path/filepath"
"strings"
)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.