CVE-2022-29804: A Look at the Path/filepath Directory Traversal Vulnerability in Golang on Windows

The official release of Go earlier this year caught the attention of several security researchers and development teams, partly due to its focus on improving compatibility with existing tooling and performance improvements. However, as is almost always the case, new software updates often introduce new security issues, and Go is no exception.

In this post, we will explore CVE-2022-29804, a security vulnerability identified in the Clean function of path/filepath compatibility library in Go before versions 1.17.11 and 1.18.3 on Windows systems. This flaw could potentially expose users to directory traversal attacks.

Understanding CVE-2022-29804

CVE-2022-29804 revolves around an issue with path conversion in the filepath.Clean function in Golang's path/filepath library. On Windows specifically, the vulnerability arises from the incorrect conversion of certain invalid paths into valid, absolute paths. The issue was found to affect Golang applications running on Windows systems before Go 1.17.11 and Go 1.18.3.

Exploiting this vulnerability may allow an attacker to perform a directory traversal attack, which could potentially lead to unauthorized access to an application's resources.

How the Vulnerability Occurs

We can illustrate the vulnerability with a code snippet that demonstrates the path/filepath package's Clean function on a Windows system:

package main

import (
	"fmt"
	"path/filepath"
)

func main() {
	// The following string should fail the Clean function
	basePath := C:\Users\test/documents/\..\./uploads\
	cleanedPath := filepath.Clean(basePath)
	fmt.Println(cleanedPath)
}

Due to the incorrect path handling in the function on Windows, the Clean function will return "C:/Users/test/uploads", allowing the attacker to traverse to a different directory than intended. This exposes the potential for unauthorized access to sensitive data or resources.

Mitigation and Recommendations

Developers using the path/filepath package on Windows systems should be aware of this vulnerability and upgrade Go to version 1.17.11 or 1.18.3 immediately to mitigate the risk of a potential directory traversal attack. Upgrading to these versions ensures that the filepath.Clean function correctly handles path conversion for the given system.

Another recommendation to help protect against directory traversal attacks is to implement proper input validation when accepting external paths. This involves sanitizing user input and rejecting any suspicious paths or known harmful character sequences.

For more information about CVE-2022-29804, you can refer to the following sources

1. GoLang Security Advisory
2. GitHub Issue #49952
3. CVE-2022-29804 Details

Conclusion

CVE-2022-29804 highlights the importance of keeping your software dependencies up to date and paying attention to security advisories. The Golang development team addressed this issue in versions 1.17.11 and 1.18.3, which prevents the filepath.Clean function from converting invalid paths that may lead to directory traversal vulnerabilities on Windows systems. If you rely on path/filepath in your Windows application, update your Go version immediately and consider implementing proper validation to sanitize user input further.

Timeline

Published on: 08/10/2022 20:15:00 UTC
Last modified on: 08/15/2022 17:07:00 UTC