# Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. **Stack:** Go - Prevalence: 高 频繁被利用 - Impact: 关键 1 条严重级别为关键的规则 - Prevention: 已记录 6 个修复示例 **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description Many file operations are intended to take place within a restricted directory. By using special elements such as '..' and '/' separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. ## Prevention 基于 2 条 Shoulder 检测规则的 Path Traversal 预防策略。 ### Go Resolve the full path and verify it stays within the intended base directory Validate that extracted archive paths resolve within the target directory ## Consequences - 读取文件或目录 - 修改文件或目录 - 执行未授权代码 ## Mitigations - 使用经过审查的库或框架,以防止此弱点出现 - 使用严格符合规范的可接受输入的允许列表 - 对于文件名,使用限制字符集的严格允许列表 ## Detection - Total rules: 6 - Critical: 1 - Languages: go, javascript, typescript, python ## Rules by Language ### Go (2 rules) - **Path Traversal via File Operations** [HIGH]: User input flows to file operations like os.Open without path validation. - Remediation: Validate resolved path stays within the base directory. ```go cleanPath := filepath.Clean(filename) fullPath := filepath.Join(baseDir, cleanPath) absPath, _ := filepath.Abs(fullPath) absBase, _ := filepath.Abs(baseDir) if !strings.HasPrefix(absPath, absBase+string(os.PathSeparator)) { return errors.New("invalid path") } ``` Learn more: https://shoulder.dev/learn/go/cwe-22/path-traversal - **Zip Slip / Path Traversal in Archive** [HIGH]: Archive extraction uses filename without validating it stays within target directory. - Remediation: Validate extracted paths are within the target directory. ```go destPath := filepath.Join(destDir, filepath.Clean(f.Name)) if !strings.HasPrefix(destPath, filepath.Clean(destDir)+string(os.PathSeparator)) { return errors.New("illegal file path") } outFile, _ := os.Create(destPath) ``` Learn more: https://shoulder.dev/learn/go/cwe-22/zip-slip