Both the at (systems that implement openat, unlinkat etc) and the noat implementations of os.RemoveAll are susceptible to a TOCTOU symlink race, where a directory can be replaced with a symlink between being stat'd and open'd. This can be used to 'trick' the program into deleting things it does not expect to delete. This is a minor security issue, but has relatively limited impact because it requires a multi-user system where an attacker is able to create symlinks, a program which will call os.RemoveAll on an attacker writable tree.
This is due to O_NOFOLLOW not being passed to openat/open on Unix systems, and FILE_FLAG_OPEN_REPARSE_POINT not being passed to CreateFileW on Windows. On Unix systems the fix is extremely simple, but on Windows it requires some changes to the Windows syscalls, since the flags passed to CreateFileW are fixed and cannot be altered by the caller currently.
The text was updated successfully, but these errors were encountered:
Both the
at
(systems that implementopenat
,unlinkat
etc) and thenoat
implementations ofos.RemoveAll
are susceptible to a TOCTOU symlink race, where a directory can be replaced with a symlink between being stat'd and open'd. This can be used to 'trick' the program into deleting things it does not expect to delete. This is a minor security issue, but has relatively limited impact because it requires a multi-user system where an attacker is able to create symlinks, a program which will callos.RemoveAll
on an attacker writable tree.This is due to
O_NOFOLLOW
not being passed toopenat
/open
on Unix systems, andFILE_FLAG_OPEN_REPARSE_POINT
not being passed toCreateFileW
on Windows. On Unix systems the fix is extremely simple, but on Windows it requires some changes to the Windows syscalls, since the flags passed toCreateFileW
are fixed and cannot be altered by the caller currently.The text was updated successfully, but these errors were encountered: