Go 1.24 provides a new file API os.Root which defense some kinds of path traversal attacks.
Path traversal attacks
The blog post introduced 3 situations of path traversal attacks
user control over the input file path
If the attacker controls part of the local filesystem, they may be able to use symbolic links to cause a program to access the wrong file:
// Attacker links /home/user/.config to /home/otheruser/.config:err := os.WriteFile("/home/user/.config/foo", config, 0o666)
This attack reminds me of SQL injection attacks, in the similarity that the resource destination is a variable that can be manipulated by the attacker.
The XXS attack is another common one related to user input. I handled business requirements before, that allow users to execute their own JavaScript scripts on the platform itself, to achieve sort of “customization”. I think this is quite common in areas like low-code software. These kinds of use cases really need to be handled very carefully.
Programmers actually need to be aware of ANY kind of user input, as it is the entry point that welcomes attackers to interact with the system. See input validation attack
symbolic links
Given the ability to control part of the local filesystem, attack may create symlink points to a specific file.
This is very interesting that I often think of the race condition on async calls, concurrent programming or parallel programming, but less under this kind of sequential situation. Often when importing and calling functions in sequence, I unconsciously think that it is “fast” enough and not possible to happen race in between the “checking” call and “using” call of the checking result.