go-safeweb icon indicating copy to clipboard operation
go-safeweb copied to clipboard

Published 20 hours ago verified publisher icon google

Add path traversal attack tests

Open kele opened this issue 4 years ago • 1 comments

https://owasp.org/www-community/attacks/Path_Traversal

Check the behavior of the Go's standard library file server functions, like:

kele avatar Jan 05 '21 09:01 kele

I would also add that the Filename field of the multipart FileHeader type might be a relative directory path or a fully qualified path unlike the name seems to suggest.

This means that users might inadvertently allow attackers to upload file outside of their intended directory if no path stripping is performed.

To summarize we have to protect against two kinds of path traversal attacks: on file submission and on resource requests (AKA, path traversal in upload/download).

empijei avatar Jan 07 '21 08:01 empijei