SYM_GO_0007 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
Using Go's Clean or path.Clean to sanitize user-supplied file paths is unsafe, as these functions only normalize the path and do not prevent path traversal attacks. Attackers can still craft inputs to access files outside the intended directory.
Impact
If exploited, attackers could read or manipulate sensitive files on the server by bypassing directory restrictions, leading to data breaches, leakage of credentials, or compromise of confidential information.