Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
Using Go’s Clean or path.Clean to sanitize user-supplied file paths is unsafe, as these functions only normalize the path and do not prevent path traversal attacks. Attackers can still craft inputs to access files outside the intended directory.
Impact#
If exploited, attackers could read or manipulate sensitive files on the server by bypassing directory restrictions, leading to data breaches, leakage of credentials, or compromise of confidential information.