Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/url: JoinPath doesn't strip relative path components in all circumstances #54385

Closed
neild opened this issue Aug 11, 2022 · 12 comments · Fixed by #54390
Closed

net/url: JoinPath doesn't strip relative path components in all circumstances #54385

neild opened this issue Aug 11, 2022 · 12 comments · Fixed by #54390
Assignees
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone

Comments

@neild
Copy link
Contributor

neild commented Aug 11, 2022

fmt.Println(url.JoinPath("https://go.dev", "../x"))  // https://go.dev/../x
fmt.Println(url.JoinPath("https://go.dev/", "../x")) // https://go.dev/x

https://go.dev/play/p/gLLv0cc_jn1

JoinPath doesn't remove ../ path components appended to a domain that is not terminated by a slash. This is surprising and could conceivably lead to a directory traversal attack. The result of JoinPath shouldn't depend on whether the first component is / terminated or not.

Thanks to @q0jt for reporting this bug.

@neild neild added the Security label Aug 11, 2022
@neild neild self-assigned this Aug 11, 2022
@neild
Copy link
Contributor Author

neild commented Aug 11, 2022

This is CVE-2022-32190.

@q0jt
Copy link

q0jt commented Aug 11, 2022

Relative paths are now removed from elements with this patch #54390.

// OK
fmt.Println(url.JoinPath("https://go.dev", "../x")) // https://go.dev/x
fmt.Println(url.JoinPath("https://go.dev", "./x")) // https://go.dev/x

If a path contains whitespace or an invalid string at the beginning, it can be bypassed as follows.

- url.JoinPath("https://go.dev", "./../../x") // https://go.dev/../../x
- url.JoinPath("https://go.dev", "..;/../../../../../x") // https://go.dev/../../../../x
- url.JoinPath("https://go.dev", " ../../../../../../x") // https://go.dev/../../../../x

// OK
-  url.JoinPath("https://go.dev", "../.././x") // https://go.dev/x

cc @neild @cuishuang

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/423514 mentions this issue: net/url: consistently remove ../ elements in JoinPath

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/422715 mentions this issue: net/url: strip relative path components for JoinPath

@cuishuang
Copy link
Contributor

Relative paths are now removed from elements with this patch #54390.

// OK
fmt.Println(url.JoinPath("https://go.dev", "../x")) // https://go.dev/x
fmt.Println(url.JoinPath("https://go.dev", "./x")) // https://go.dev/x

If a path contains whitespace or an invalid string at the beginning, it can be bypassed as follows.

- url.JoinPath("https://go.dev", "./../../x") // https://go.dev/../../x
- url.JoinPath("https://go.dev", "..;/../../../../../x") // https://go.dev/../../../../x
- url.JoinPath("https://go.dev", " ../../../../../../x") // https://go.dev/../../../../x

// OK
-  url.JoinPath("https://go.dev", "../.././x") // https://go.dev/x

cc @neild @cuishuang

Relative paths are now removed from elements with this patch #54390.

// OK
fmt.Println(url.JoinPath("https://go.dev", "../x")) // https://go.dev/x
fmt.Println(url.JoinPath("https://go.dev", "./x")) // https://go.dev/x

If a path contains whitespace or an invalid string at the beginning, it can be bypassed as follows.

- url.JoinPath("https://go.dev", "./../../x") // https://go.dev/../../x
- url.JoinPath("https://go.dev", "..;/../../../../../x") // https://go.dev/../../../../x
- url.JoinPath("https://go.dev", " ../../../../../../x") // https://go.dev/../../../../x

// OK
-  url.JoinPath("https://go.dev", "../.././x") // https://go.dev/x

cc @neild @cuishuang

Maybe refer to this pr https://go-review.googlesource.com/c/go/+/423514/

@q0jt
Copy link

q0jt commented Aug 16, 2022

Maybe refer to this pr https://go-review.googlesource.com/c/go/+/423514/

PR https://go-review.googlesource.com/c/go/+/423514/ has resolved this issue.
This fix is working properly, and therefore I mark this ticket as resolved.

Many thanks.

@seankhliao seankhliao added this to the Go1.20 milestone Aug 20, 2022
@neild
Copy link
Contributor Author

neild commented Aug 23, 2022

@gopherbot please open backport issues.

@gopherbot
Copy link
Contributor

Backport issue(s) opened: #54634 (for 1.18), #54635 (for 1.19).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/425357 mentions this issue: [release-branch.go1.19] net/url: consistently remove ../ elements in JoinPath

gopherbot pushed a commit that referenced this issue Aug 29, 2022
…JoinPath

JoinPath would fail to remove relative elements from the start of
the path when the first path element is "".

In addition, JoinPath would return the original path unmodified
when provided with no elements to join, violating the documented
behavior of always cleaning the resulting path.

Correct both these cases.

    JoinPath("http://go.dev", "../go")
    // before: http://go.dev/../go
    // after:  http://go.dev/go

    JoinPath("http://go.dev/../go")
    // before: http://go.dev/../go
    // after:  http://go.dev/go

For #54385.
Fixes #54635.
Fixes CVE-2022-32190.

Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9
Reviewed-on: https://go-review.googlesource.com/c/go/+/423514
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
(cherry picked from commit 0765da5)
Reviewed-on: https://go-review.googlesource.com/c/go/+/425357
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Sep 6, 2022
bradfitz pushed a commit to tailscale/go that referenced this issue Sep 8, 2022
…JoinPath

JoinPath would fail to remove relative elements from the start of
the path when the first path element is "".

In addition, JoinPath would return the original path unmodified
when provided with no elements to join, violating the documented
behavior of always cleaning the resulting path.

Correct both these cases.

    JoinPath("http://go.dev", "../go")
    // before: http://go.dev/../go
    // after:  http://go.dev/go

    JoinPath("http://go.dev/../go")
    // before: http://go.dev/../go
    // after:  http://go.dev/go

For golang#54385.
Fixes golang#54635.
Fixes CVE-2022-32190.

Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9
Reviewed-on: https://go-review.googlesource.com/c/go/+/423514
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
(cherry picked from commit 0765da5)
Reviewed-on: https://go-review.googlesource.com/c/go/+/425357
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@wqwljz
Copy link

wqwljz commented Sep 15, 2022

I use versions earlier than 1.18, such as 1.17. Do I need to upgrade to 1.18?

wormi4ok added a commit to wormi4ok/packages that referenced this issue Oct 20, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
wormi4ok added a commit to wormi4ok/packages that referenced this issue Nov 14, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
1715173329 pushed a commit to immortalwrt/packages that referenced this issue Nov 15, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940 pushed a commit to 1582130940/OpenWrt-Lean-Packages that referenced this issue Nov 16, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940 pushed a commit to 1582130940/OpenWrt-Lean-Packages that referenced this issue Nov 16, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940 pushed a commit to 1582130940/OpenWrt-Lean-Packages that referenced this issue Nov 16, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940 pushed a commit to 1582130940/OpenWrt-Lean-Packages that referenced this issue Nov 16, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
BKPepe pushed a commit to openwrt/packages that referenced this issue Dec 3, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* #19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
(cherry picked from commit 0ad7a2f)
stokito pushed a commit to stokito/packages that referenced this issue Dec 6, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/458775 mentions this issue: cmd api NewWalker Reducing the code makes the code more concise

SibrenVasse pushed a commit to SibrenVasse/packages that referenced this issue Feb 26, 2023
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
(cherry picked from commit 0ad7a2f)
Lienol pushed a commit to Lienol/openwrt-packages that referenced this issue Mar 10, 2023
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
(cherry picked from commit 0ad7a2f)
Lienol pushed a commit to Lienol/openwrt-packages that referenced this issue Mar 10, 2023
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
(cherry picked from commit 0ad7a2f)
@xuyang2
Copy link

xuyang2 commented Jul 10, 2023

I use versions earlier than 1.18, such as 1.17. Do I need to upgrade to 1.18?

#54634 (comment)

Lienol pushed a commit to Lienol/openwrt-packages that referenced this issue Oct 28, 2023
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
(cherry picked from commit 0ad7a2f)
Lienol pushed a commit to Lienol/openwrt-packages that referenced this issue Dec 20, 2023
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
(cherry picked from commit 0ad7a2f)
Lienol pushed a commit to Lienol/openwrt-packages that referenced this issue Mar 2, 2024
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
(cherry picked from commit 0ad7a2f)
Lienol pushed a commit to Lienol/openwrt-packages that referenced this issue Mar 18, 2024
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
(cherry picked from commit 0ad7a2f)
Lienol pushed a commit to Lienol/openwrt-packages that referenced this issue Jul 2, 2024
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
(cherry picked from commit 0ad7a2f)
@golang golang locked and limited conversation to collaborators Jul 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
8 participants