Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

os: RemoveAll susceptible to symlink race #52745

Open
rolandshoemaker opened this issue May 6, 2022 · 0 comments
Open

os: RemoveAll susceptible to symlink race #52745

rolandshoemaker opened this issue May 6, 2022 · 0 comments
Labels
NeedsFix OS-Windows
Milestone

Comments

@rolandshoemaker
Copy link
Member

@rolandshoemaker rolandshoemaker commented May 6, 2022

Both the at (systems that implement openat, unlinkat etc) and the noat implementations of os.RemoveAll are susceptible to a TOCTOU symlink race, where a directory can be replaced with a symlink between being stat'd and open'd. This can be used to 'trick' the program into deleting things it does not expect to delete. This is a minor security issue, but has relatively limited impact because it requires a multi-user system where an attacker is able to create symlinks, a program which will call os.RemoveAll on an attacker writable tree.

This is due to O_NOFOLLOW not being passed to openat/open on Unix systems, and FILE_FLAG_OPEN_REPARSE_POINT not being passed to CreateFileW on Windows. On Unix systems the fix is extremely simple, but on Windows it requires some changes to the Windows syscalls, since the flags passed to CreateFileW are fixed and cannot be altered by the caller currently.

@rolandshoemaker rolandshoemaker added OS-Windows NeedsFix labels May 6, 2022
@rolandshoemaker rolandshoemaker added this to the Backlog milestone May 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix OS-Windows
Projects
None yet
Development

No branches or pull requests

1 participant