# GO-PATH-001: Path Traversal via HTTP Input > **Severity:** HIGH | **CWE:** CWE-22 | **OWASP:** A01:2021 - **Language:** Go - **Category:** Security - **URL:** https://codepathfinder.dev/registry/golang/security/GO-PATH-001 - **Detection:** `pathfinder scan --ruleset golang/GO-PATH-001 --project .` ## Description Path traversal occurs when user-controlled input is used in file system operations without properly restricting the resulting path to an intended directory. Attackers inject sequences like `../../etc/passwd`, `../../../etc/shadow`, or `%2e%2e%2f` to read or write files outside the intended base directory. **Go-specific pitfall — filepath.Join with absolute paths**: `filepath.Join("/var/uploads", "/etc/passwd")` returns `/etc/passwd` in Go. This is documented behavior: if an element is an absolute path, all preceding elements are discarded. A user supplying `/etc/passwd` as a filename completely bypasses the base directory constraint. **filepath.Clean() is necessary but NOT sufficient**: `filepath.Clean("../../../etc/passwd")` returns `../../etc/passwd` — it resolves redundant separators and dots but does not anchor to any base directory. Clean must be followed by a `strings.HasPrefix(clean, baseDir)` check with a trailing separator. **The correct pattern**: ```go clean := filepath.Join(baseDir, filename) clean = filepath.Clean(clean) if !strings.HasPrefix(clean, baseDir+string(filepath.Separator)) { // path traversal attempt } ``` Note the trailing separator — without it, `baseDir = "/uploads"` and `clean = "/uploads-secret/file.txt"` would pass the prefix check. **Zip Slip vulnerability**: Archive extraction (zip, tar) is a common path traversal vector. A malicious archive contains entries with paths like `../../etc/cron.d/backdoor`. When extracted without path validation, files are written outside the extraction directory. Go's archive/zip and archive/tar packages provide the raw filename from the archive without sanitization — developers must validate each entry's path before extraction. **Null byte injection**: In some contexts, filenames containing null bytes (`filename\x00.jpg`) may be truncated at the null byte by underlying C library functions. Go's os package handles null bytes safely (returns an error), but third-party or CGO code may not. ## Vulnerable Code ```python # --- file: vulnerable.go --- // GO-PATH-001 positive test cases — all SHOULD be detected package main import ( "net/http" "os" "path/filepath" "github.com/gin-gonic/gin" ) func pathTraversalReadFile(w http.ResponseWriter, r *http.Request) { filename := r.FormValue("file") // source content, _ := os.ReadFile("/var/uploads/" + filename) // SINK: path traversal w.Write(content) } func pathTraversalOpen(w http.ResponseWriter, r *http.Request) { path := r.FormValue("path") // source os.Open(path) // SINK } func pathTraversalCreate(c *gin.Context) { name := c.Param("filename") // source os.Create("/tmp/" + name) // SINK } func pathTraversalJoin(w http.ResponseWriter, r *http.Request) { dir := r.FormValue("dir") // source fullPath := filepath.Join("/data", dir) // SINK: join with user input os.ReadFile(fullPath) } # --- file: go.mod --- module example.com/go-path-001/positive go 1.25.0 require github.com/gin-gonic/gin v1.12.0 require ( github.com/bytedance/gopkg v0.1.3 // indirect github.com/bytedance/sonic v1.15.0 // indirect github.com/bytedance/sonic/loader v0.5.0 // indirect github.com/cloudwego/base64x v0.1.6 // indirect github.com/gabriel-vasile/mimetype v1.4.12 // indirect github.com/gin-contrib/sse v1.1.0 // indirect github.com/go-playground/locales v0.14.1 // indirect github.com/go-playground/universal-translator v0.18.1 // indirect github.com/go-playground/validator/v10 v10.30.1 // indirect github.com/goccy/go-json v0.10.5 // indirect github.com/goccy/go-yaml v1.19.2 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/cpuid/v2 v2.3.0 // indirect github.com/leodido/go-urn v1.4.0 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/pelletier/go-toml/v2 v2.2.4 // indirect github.com/quic-go/qpack v0.6.0 // indirect github.com/quic-go/quic-go v0.59.0 // indirect github.com/twitchyliquid64/golang-asm v0.15.1 // indirect github.com/ugorji/go/codec v1.3.1 // indirect go.mongodb.org/mongo-driver/v2 v2.5.0 // indirect golang.org/x/arch v0.22.0 // indirect golang.org/x/crypto v0.48.0 // indirect golang.org/x/net v0.51.0 // indirect golang.org/x/sys v0.41.0 // indirect golang.org/x/text v0.34.0 // indirect google.golang.org/protobuf v1.36.10 // indirect ) # --- file: go.sum --- github.com/bytedance/gopkg v0.1.3 h1:TPBSwH8RsouGCBcMBktLt1AymVo2TVsBVCY4b6TnZ/M= github.com/bytedance/gopkg v0.1.3/go.mod h1:576VvJ+eJgyCzdjS+c4+77QF3p7ubbtiKARP3TxducM= github.com/bytedance/sonic v1.15.0 h1:/PXeWFaR5ElNcVE84U0dOHjiMHQOwNIx3K4ymzh/uSE= github.com/bytedance/sonic v1.15.0/go.mod h1:tFkWrPz0/CUCLEF4ri4UkHekCIcdnkqXw9VduqpJh0k= github.com/bytedance/sonic/loader v0.5.0 h1:gXH3KVnatgY7loH5/TkeVyXPfESoqSBSBEiDd5VjlgE= github.com/bytedance/sonic/loader v0.5.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo= github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M= github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw= github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s= github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w= github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM= github.com/gin-gonic/gin v1.12.0 h1:b3YAbrZtnf8N//yjKeU2+MQsh2mY5htkZidOM7O0wG8= github.com/gin-gonic/gin v1.12.0/go.mod h1:VxccKfsSllpKshkBWgVgRniFFAzFb9csfngsqANjnLc= github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s= github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA= github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY= github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w= github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM= github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4= github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM= github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y= github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0= github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ= github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4= github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8= github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII= github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw= github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI= github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08= github.com/ugorji/go/codec v1.3.1 h1:waO7eEiFDwidsBN6agj1vJQ4AG7lh2yqXyOXqhgQuyY= github.com/ugorji/go/codec v1.3.1/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4= go.mongodb.org/mongo-driver/v2 v2.5.0 h1:yXUhImUjjAInNcpTcAlPHiT7bIXhshCTL3jVBkF3xaE= go.mongodb.org/mongo-driver/v2 v2.5.0/go.mod h1:yOI9kBsufol30iFsl1slpdq1I0eHPzybRWdyYUs8K/0= go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y= go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU= golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI= golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A= golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk= golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA= google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= ``` ## Secure Code ```python // SECURE: filepath.Join + Clean + HasPrefix check (with trailing separator) func serveFile(w http.ResponseWriter, r *http.Request) { filename := r.FormValue("file") baseDir := "/var/uploads" // Join, then Clean to resolve any remaining .. or . clean := filepath.Clean(filepath.Join(baseDir, filename)) // CRITICAL: check with trailing separator to prevent "/uploads-evil" bypass if !strings.HasPrefix(clean, baseDir+string(filepath.Separator)) { http.Error(w, "invalid path", http.StatusBadRequest) return } http.ServeFile(w, r, clean) } // SECURE: zip extraction with path traversal prevention func extractZip(archive *zip.ReadCloser, destDir string) error { destDir = filepath.Clean(destDir) + string(filepath.Separator) for _, f := range archive.File { // Validate destination path before extraction destPath := filepath.Clean(filepath.Join(destDir, f.Name)) if !strings.HasPrefix(destPath, destDir) { return fmt.Errorf("zip slip detected: %s", f.Name) } if f.FileInfo().IsDir() { os.MkdirAll(destPath, f.Mode()) continue } os.MkdirAll(filepath.Dir(destPath), 0755) out, err := os.OpenFile(destPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, f.Mode()) if err != nil { return err } rc, _ := f.Open() io.Copy(out, rc) out.Close() rc.Close() } return nil } ``` ## Detection Rule (Python SDK) ```python """GO-PATH-001: Path traversal via HTTP request input reaching file system operations.""" from codepathfinder.go_rule import ( GoGinContext, GoHTTPRequest, GoOS, GoFilepath, ) from codepathfinder import flows from codepathfinder.presets import PropagationPresets from codepathfinder.go_decorators import go_rule @go_rule( id="GO-PATH-001", severity="HIGH", cwe="CWE-22", owasp="A01:2021", tags="go,security,path-traversal,file-system,CWE-22,OWASP-A01", message=( "User-controlled input flows into file system operations (os.Open, os.Create, " "os.ReadFile, filepath.Join). This creates a path traversal vulnerability — " "attackers can read or write arbitrary files by injecting '../' sequences. " "Use filepath.Clean() and validate the result stays within the intended base directory." ), ) def go_path_traversal(): """HTTP request input reaches file system operations — path traversal.""" return flows( from_sources=[ GoGinContext.method( "Param", "Query", "PostForm", "GetRawData", "ShouldBindJSON", "BindJSON", "GetHeader" ), GoHTTPRequest.method("FormValue", "PostFormValue"), GoHTTPRequest.attr("URL.Path", "URL.RawQuery"), ], to_sinks=[ GoOS.method( "Open", "OpenFile", "Create", "CreateTemp", "ReadFile", "WriteFile", "Remove", "RemoveAll", "Mkdir", "MkdirAll", "Stat", "Lstat", ), GoFilepath.method("Join", "Abs"), ], propagates_through=PropagationPresets.standard(), scope="global", ) ``` ## How to Fix - Always use filepath.Clean() after filepath.Join() to resolve remaining .. components. - After Clean, verify the path has the expected base directory prefix WITH a trailing separator. - Never trust user-supplied filenames from archives — validate each entry path during extraction. - Use os.OpenFile with appropriate flags; consider os.O_EXCL to prevent overwrite attacks. - Reject filenames containing null bytes, path separators, or explicit .. components. - Serve static files through http.FileServer with a restricted http.Dir, not by path construction. ## Security Implications - **Sensitive File Read:** Attackers read `/etc/passwd`, `/etc/shadow` (Unix), `C:\Windows\System32\config\SAM` (Windows), application configuration files containing database credentials, TLS private keys, or cloud credential files (~/.aws/credentials). - **Application Source Code Disclosure:** Reading `../../app/main.go`, `../../.env`, or `../../config.yaml` exposes application secrets, database passwords, API keys, and business logic. - **Malicious File Write (Remote Code Execution):** Write access enables persistence: write to `/etc/cron.d/`, `~/.ssh/authorized_keys`, or executable paths. In web contexts, writing a server-side script to a web-accessible directory enables RCE. - **Zip Slip — Archive Extraction RCE:** A malicious archive entry `../../.ssh/authorized_keys` writes the attacker's SSH public key to the server's authorized_keys file during archive extraction. Demonstrated against multiple Go-based archive tools. ## References - [CWE-22: Path Traversal — MITRE](https://cwe.mitre.org/data/definitions/22.html) - [OWASP Path Traversal attack](https://owasp.org/www-community/attacks/Path_Traversal) - [OWASP Testing Guide: Path Traversal (v4.2)](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include) - [Zip Slip — path traversal in archive extraction](https://github.com/snyk/zip-slip-vulnerability) - [Go filepath package documentation](https://pkg.go.dev/path/filepath) - [Go filepath.Join behavior with absolute paths](https://pkg.go.dev/path/filepath#Join) --- Source: https://codepathfinder.dev/registry/golang/security/GO-PATH-001 Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis