forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathTaintedPath.go
More file actions
102 lines (85 loc) · 2.98 KB
/
TaintedPath.go
File metadata and controls
102 lines (85 loc) · 2.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
package main
import (
"io/ioutil"
"mime/multipart"
"net/http"
"os"
"path"
"path/filepath"
"regexp"
"strings"
)
func handler(w http.ResponseWriter, r *http.Request) {
tainted_path := r.URL.Query()["path"][0]
// BAD: This could read any file on the file system
data, _ := ioutil.ReadFile(tainted_path)
w.Write(data)
// BAD: This could still read any file on the file system
data, _ = ioutil.ReadFile(filepath.Join("/home/user/", tainted_path))
w.Write(data)
// GOOD: This can only read inside the provided safe path
sanitized_filepath, _ := filepath.Rel("/home/user/safepath", tainted_path)
data, _ = ioutil.ReadFile(sanitized_filepath)
w.Write(data)
// GOOD: This can only read inside the provided safe path
if !strings.Contains(tainted_path, "..") {
data, _ = ioutil.ReadFile(tainted_path)
w.Write(data)
}
// GOOD: Sanitized by strings.ReplaceAll and replaces all .. with empty string
data, _ = ioutil.ReadFile(strings.ReplaceAll(tainted_path, "..", ""))
w.Write(data)
// GOOD: This can only read inside the provided safe path
_, err := filepath.Rel("/home/user/safepath", tainted_path)
if err == nil {
data, _ = ioutil.ReadFile(tainted_path)
w.Write(data)
}
// GOOD: An attempt has been made to ensure that this can only read inside
// the provided safe path
if strings.HasPrefix(tainted_path, "/home/user/safepath/") {
data, _ = ioutil.ReadFile(tainted_path)
w.Write(data)
}
// GOOD: An attempt has been made to ensure that this can only read inside
// the provided safe path
matched, _ := regexp.MatchString("\\.\\.", tainted_path)
if !matched {
data, _ = ioutil.ReadFile(filepath.Join("/home/user/", tainted_path))
w.Write(data)
}
// GOOD: Sanitized by filepath.Clean with a prepended '/' forcing interpretation
// as an absolute path, so that Clean will throw away any leading `..` components.
data, _ = ioutil.ReadFile(filepath.Clean("/" + tainted_path))
w.Write(data)
// GOOD: Sanitized by filepath.Clean with a prepended os.PathSeparator forcing interpretation
// as an absolute path, so that Clean will throw away any leading `..` components.
data, _ = ioutil.ReadFile(filepath.Clean(string(os.PathSeparator) + tainted_path))
w.Write(data)
// BAD: Sanitized by path.Clean with a prepended '/' forcing interpretation
// as an absolute path, however is not sufficient for Windows paths.
data, _ = ioutil.ReadFile(path.Clean("/" + tainted_path))
w.Write(data)
// GOOD: Multipart.Form.FileHeader.Filename sanitized by filepath.Base when calling ParseMultipartForm
r.ParseMultipartForm(32 << 20)
form := r.MultipartForm
files, ok := form.File["files"]
if !ok {
return
}
data, _ = ioutil.ReadFile(files[0].Filename)
w.Write(data)
// GOOD: Part.FileName sanitized by filepath.Base
r.ParseMultipartForm(32 << 20)
file, _, err := r.FormFile("uploadfile")
if err != nil {
return
}
reader := multipart.NewReader(file, "foo")
// Read the first part
part, err := reader.NextPart()
if err != nil {
return
}
data, _ = ioutil.ReadFile(part.FileName())
}