This article is just an example of Directory Traversal with a program in the GO language. For those of you who are new to Directory Traversal here it is.
Path Traversal/Directory Traversal is also known as a dot dot slash attack. The attacker takes advantage of a file path exposed in the software and under user control, to traverse through the application directories and expose or overwrite any sensitive system files.
Code snippet:
In the above code snippet, it is self-explanatory that a File is being created in .list1/images path and there are no validations being performed. In line number 12, the file name created by the user is directly appended to the folder path and is created.
An attacker can enter trailing slashes and create a malicious file in the operating system's important file paths. If such files are executable they can take back the system out and create adverse effects.
Directory Traversal Attack Scenario:
The same code snippet example over Linux which explains how an executable file is being created in the root folder as there are no proper validations being performed on the file name which is created by the user.
Remediation:
The most effective way to prevent file path traversal vulnerabilities is to avoid passing user-supplied input to the filesystem.
- The application should validate the user input before processing it. The validation should compare against a whitelist of permitted values.
- Remove “..\” and “../” from any input that’s used in a file context.
- Implement strict code access policies to restrict where files can be saved to and use
SecureJointo join the files instead of a join() method. - Ensure the user cannot supply any part of the path to the file read or written to.
