path/filepath: path traversal in filepath.Clean on Windows (CVE-2022-41722) #57274

neild · 2022-12-13T00:52:06Z

On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. The filepath.Clean function will now transform this path into the relative (but still invalid) path .\c:\b.

Thanks to RyotaK (https://ryotak.net/) for reporting this issue.

This is a PRIVATE issue for CVE-2022-41722, tracked in http://b/261991454 and fixed by http://tg/1675249.

neild · 2022-12-13T00:52:26Z

@gopherbot please open backport issues. This is a security fix.

gopherbot · 2022-12-13T00:52:37Z

Backport issue(s) opened: #57275 (for 1.18), #57276 (for 1.19).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

mdempsky · 2023-01-25T17:29:49Z

@gopherbot Please backport to 1.20.

gopherbot · 2023-02-14T16:39:24Z

Change https://go.dev/cl/468119 mentions this issue: [release-branch.go1.20] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows

gopherbot · 2023-02-14T16:39:29Z

Change https://go.dev/cl/468123 mentions this issue: path/filepath: do not Clean("a/../c:/b") into c:\b on Windows

gopherbot · 2023-02-14T16:39:32Z

Change https://go.dev/cl/468115 mentions this issue: [release-branch.go1.19] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows

… c:\b on Windows Do not permit Clean to convert a relative path into one starting with a drive reference. This change causes Clean to insert a . path element at the start of a path when the original path does not start with a volume name, and the first path element would contain a colon. This may introduce a spurious but harmless . path element under some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`. This reverts CL 401595, since the change here supersedes the one in that CL. Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. Updates #57274 Fixes #57276 Fixes CVE-2022-41722 Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249 Reviewed-by: Roland Shoemaker <bracewell@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> (cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728944 Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/468119 Reviewed-by: Than McIntosh <thanm@google.com> Run-TryBot: Michael Pratt <mpratt@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Michael Pratt <mpratt@google.com>

… c:\b on Windows Do not permit Clean to convert a relative path into one starting with a drive reference. This change causes Clean to insert a . path element at the start of a path when the original path does not start with a volume name, and the first path element would contain a colon. This may introduce a spurious but harmless . path element under some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`. This reverts CL 401595, since the change here supersedes the one in that CL. Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. Updates #57274 Fixes #57275 Fixes CVE-2022-41722 Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249 Reviewed-by: Roland Shoemaker <bracewell@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> (cherry picked from commit 780dfa043ff5192c37de0d6fd1053a66b2b9f378) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728206 Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/468115 Reviewed-by: Than McIntosh <thanm@google.com> Run-TryBot: Michael Pratt <mpratt@google.com> Auto-Submit: Michael Pratt <mpratt@google.com> TryBot-Bypass: Michael Pratt <mpratt@google.com>

Do not permit Clean to convert a relative path into one starting with a drive reference. This change causes Clean to insert a . path element at the start of a path when the original path does not start with a volume name, and the first path element would contain a colon. This may introduce a spurious but harmless . path element under some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`. This reverts CL 401595, since the change here supersedes the one in that CL. Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. Fixes golang#57274 Fixes CVE-2022-41722 Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249 Reviewed-by: Roland Shoemaker <bracewell@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/468123 Run-TryBot: Michael Pratt <mpratt@google.com> Reviewed-by: Than McIntosh <thanm@google.com> Auto-Submit: Michael Pratt <mpratt@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>

… c:\b on Windows Do not permit Clean to convert a relative path into one starting with a drive reference. This change causes Clean to insert a . path element at the start of a path when the original path does not start with a volume name, and the first path element would contain a colon. This may introduce a spurious but harmless . path element under some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`. This reverts CL 401595, since the change here supersedes the one in that CL. Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. Updates golang#57274 Fixes golang#57276 Fixes CVE-2022-41722 Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249 Reviewed-by: Roland Shoemaker <bracewell@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> (cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728944 Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/468119 Reviewed-by: Than McIntosh <thanm@google.com> Run-TryBot: Michael Pratt <mpratt@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Michael Pratt <mpratt@google.com>

rickhenderson · 2023-03-03T15:45:23Z

How is this "for Windows"? Do you mean when cleaning Windows path names?

neild · 2023-03-03T15:53:30Z

Yes. This vulnerability only exists when running with GOOS=windows, in which case the path/filepath package operates on Windows path names.

neild self-assigned this Dec 13, 2022

This was referenced Dec 13, 2022

security: fix CVE-2022-41722 [1.19 backport] #57275

Closed

security: fix CVE-2022-41722 [1.20 backport] #57276

Closed

seankhliao added Security NeedsFix The path to resolution is known, but the work has not been done. labels Dec 26, 2022

seankhliao added this to the Go1.20 milestone Dec 26, 2022

lukidzi mentioned this issue Jan 11, 2023

build: update to go 1.18.9 (backport #5607) kumahq/kuma#5612

Merged

gopherbot modified the milestones: Go1.20, Go1.21 Feb 1, 2023

gopherbot closed this as completed in 95eb5ab Feb 14, 2023

prattmic changed the title ~~security: fix CVE-2022-41722~~ path/filepath: path traversal in filepath.Clean on Windows (CVE-2022-41722) Feb 14, 2023

zafs23 mentioned this issue Mar 21, 2023

Golang Patch Release: [security] Go 1.20.1 and Go 1.19.6 are released aws/eks-distro-build-tooling#844

Closed

golang locked and limited conversation to collaborators Mar 2, 2024

gopherbot added the FrozenDueToAge label Mar 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

path/filepath: path traversal in filepath.Clean on Windows (CVE-2022-41722) #57274

path/filepath: path traversal in filepath.Clean on Windows (CVE-2022-41722) #57274

neild commented Dec 13, 2022 •

edited by prattmic

neild commented Dec 13, 2022

gopherbot commented Dec 13, 2022

mdempsky commented Jan 25, 2023

gopherbot commented Feb 14, 2023

gopherbot commented Feb 14, 2023

gopherbot commented Feb 14, 2023

rickhenderson commented Mar 3, 2023

neild commented Mar 3, 2023

path/filepath: path traversal in filepath.Clean on Windows (CVE-2022-41722) #57274

path/filepath: path traversal in filepath.Clean on Windows (CVE-2022-41722) #57274

Comments

neild commented Dec 13, 2022 • edited by prattmic

neild commented Dec 13, 2022

gopherbot commented Dec 13, 2022

mdempsky commented Jan 25, 2023

gopherbot commented Feb 14, 2023

gopherbot commented Feb 14, 2023

gopherbot commented Feb 14, 2023

rickhenderson commented Mar 3, 2023

neild commented Mar 3, 2023

neild commented Dec 13, 2022 •

edited by prattmic