filepath-clean-misuse

[bboule]

Clean is not intended to sanitize against path traversal attacks. This function is for finding the shortest path name equivalent to the given input. Using Clean to sanitize file reads may expose this application to path traversal attacks, where an attacker could access arbitrary files on the server. To fix this easily, write this: filepath.FromSlash(path.Clean("/"+strings.Trim(req.URL.Path, "/"))) However, a better solution is using the SecureJoin function in the package filepath-securejoin. See https://pkg.go.dev/github.com/cyphar/filepath-securejoin#section-readme.
Branch: main
Line: 39
File Path:
/tools/scanResult/unzipped-2407813448/pkg/server/v3/gateway.go

[github-actions]

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!