# Path Traversal via File Operations

- ID: go-path-traversal
- Severity: HIGH
- CWE: Path Traversal (CWE-22)
- Languages: Go
- Frameworks: stdlib, gin, echo, fiber, chi, gorilla

## Description

User input flows to file operations like os.Open without path validation.

## Detection Message

Untrusted input from {source} reaches file operation at {sink}.
This allows an attacker to access files outside the intended directory.

## Remediation

Validate resolved path stays within the base directory.

```go
cleanPath := filepath.Clean(filename)
fullPath := filepath.Join(baseDir, cleanPath)
absPath, _ := filepath.Abs(fullPath)
absBase, _ := filepath.Abs(baseDir)

if !strings.HasPrefix(absPath, absBase+string(os.PathSeparator)) {
    return errors.New("invalid path")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-22/path-traversal

## Documentation

[object Object]

## Related Rules

- **Zip Slip / Path Traversal in Archive** [HIGH]: 
- **Path Traversal in File Operations** [CRITICAL]: 
- **Zip Slip Path Traversal** [HIGH]: 
- **Path Traversal / Directory Traversal** [HIGH]: 
- **Zip Slip / Archive Path Traversal** [HIGH]: