Go Traversal Delete Unsanitized User Input

Description

Detects path traversal vulnerabilities in Go applications where file deletion operations (like os.Remove) use unsanitized user input as the file path parameter. This could allow attackers to delete arbitrary files outside the intended directory through path manipulation.

Weakness:

082 - Insecurely deleted files

Category: Information Collection

Detection Strategy

• Check for imports of the 'os' package in Go code

• Look for file deletion function calls (e.g., os.Remove, os.RemoveAll)

• Examine if the file path parameter comes from user-controlled input

• Verify if the file path parameter lacks proper sanitization or path traversal checks

Vulnerable code example

package main

import (
    "net/http"
    "os"
)

func handler(w http.ResponseWriter, r *http.Request) {...

✅ Secure code example

package main

import (
    "net/http"
    "os"
    "path/filepath"
    "strings"
)...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.