Path Traversal
Description
The application dynamically constructs file or path information. If the path information comes from user input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access.
Examples
Insecure Code
go
filepath.Join(basePath, user_input)Secure Code
go
resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))Remediation
Use filepath.Base to only use the filename and not path information. Always validate the full path prior to opening or writing to any file. Consider hashing user input or replacing it with unique values.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0783 |
| Category | AccessControl |
| Severity | MEDIUM |
| CWE | CWE-22 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | path traversal, file access |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |