net/url: JoinPath doesn't strip relative path components in all circumstances

[neild]

fmt.Println(url.JoinPath("https://go.dev", "../x"))  // https://go.dev/../x
fmt.Println(url.JoinPath("https://go.dev/", "../x")) // https://go.dev/x

https://go.dev/play/p/gLLv0cc_jn1

JoinPath doesn't remove ../ path components appended to a domain that is not terminated by a slash. This is surprising and could conceivably lead to a directory traversal attack. The result of JoinPath shouldn't depend on whether the first component is / terminated or not.

Thanks to @q0jt for reporting this bug.

[neild]

This is CVE-2022-32190.

[q0jt]

Relative paths are now removed from elements with this patch #54390.

// OK
fmt.Println(url.JoinPath("https://go.dev", "../x")) // https://go.dev/x
fmt.Println(url.JoinPath("https://go.dev", "./x")) // https://go.dev/x

If a path contains whitespace or an invalid string at the beginning, it can be bypassed as follows.

- url.JoinPath("https://go.dev", "./../../x") // https://go.dev/../../x
- url.JoinPath("https://go.dev", "..;/../../../../../x") // https://go.dev/../../../../x
- url.JoinPath("https://go.dev", " ../../../../../../x") // https://go.dev/../../../../x

// OK
-  url.JoinPath("https://go.dev", "../.././x") // https://go.dev/x

cc @neild @cuishuang

[gopherbot]

Change https://go.dev/cl/423514 mentions this issue: net/url: consistently remove ../ elements in JoinPath

[gopherbot]

Change https://go.dev/cl/422715 mentions this issue: net/url: strip relative path components for JoinPath

[cuishuang]

Relative paths are now removed from elements with this patch #54390.

// OK
fmt.Println(url.JoinPath("https://go.dev", "../x")) // https://go.dev/x
fmt.Println(url.JoinPath("https://go.dev", "./x")) // https://go.dev/x

If a path contains whitespace or an invalid string at the beginning, it can be bypassed as follows.

- url.JoinPath("https://go.dev", "./../../x") // https://go.dev/../../x
- url.JoinPath("https://go.dev", "..;/../../../../../x") // https://go.dev/../../../../x
- url.JoinPath("https://go.dev", " ../../../../../../x") // https://go.dev/../../../../x

// OK
-  url.JoinPath("https://go.dev", "../.././x") // https://go.dev/x

cc @neild @cuishuang

Relative paths are now removed from elements with this patch #54390.

// OK
fmt.Println(url.JoinPath("https://go.dev", "../x")) // https://go.dev/x
fmt.Println(url.JoinPath("https://go.dev", "./x")) // https://go.dev/x

If a path contains whitespace or an invalid string at the beginning, it can be bypassed as follows.

- url.JoinPath("https://go.dev", "./../../x") // https://go.dev/../../x
- url.JoinPath("https://go.dev", "..;/../../../../../x") // https://go.dev/../../../../x
- url.JoinPath("https://go.dev", " ../../../../../../x") // https://go.dev/../../../../x

// OK
-  url.JoinPath("https://go.dev", "../.././x") // https://go.dev/x

cc @neild @cuishuang

Maybe refer to this pr https://go-review.googlesource.com/c/go/+/423514/

[q0jt]

Maybe refer to this pr https://go-review.googlesource.com/c/go/+/423514/

PR https://go-review.googlesource.com/c/go/+/423514/ has resolved this issue.
This fix is working properly, and therefore I mark this ticket as resolved.

Many thanks.

[neild]

@gopherbot please open backport issues.

[gopherbot]

Backport issue(s) opened: #54634 (for 1.18), #54635 (for 1.19).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.