go run gorillaguard.go
Gorilla Guard is a security tool designed to enhance the security of web applications built using the Gorilla Sessions library by detecting and preventing potential path traversal vulnerabilities. It specifically targets Common Weakness Enumeration (CWE) number 22, which relates to improper handling of input data that may lead to path traversal attacks.
https://github.com/search?q=sessions.NewFilesystemStore+language%3Ago+&type=code
export SESSION_KEY=gorilla
go run escapezoo.go
curl --cookie "zoo=$PREFIX/tmp" http://localhost:8080
curl --cookie "zoo=$HOME/" http://localhost:8080
if ( os_IsNotExist(fmta._r2) )
{
store_8b = (github_com_gorilla_sessions_Store_0)net_http__ptr_Request_Context(r);
ctxb = store_8b.tab;
v52 = runtime_convTstring((string)s->path);
v6 = (_1_interface_ *)runtime_newobject((runtime__type_0 *)&RTYPE__1_interface_);
v51 = (interface__0 *)v6;
(*v6)[0].tab = (void *)&RTYPE_string_0;
if ( *(_DWORD *)&runtime_writeBarrier.enabled )
runtime_gcWriteBarrier();
else
(*v6)[0].data = v52;
storee.tab = ctxb;
storee.data = store_8b.data;
fmtb.str = (uint8 *)"folder is missing, create folder %s";
fmtb.len = 35LL;
fmt_16a.array = v51;
fmt_16a.len = 1LL;
fmt_16a.cap = 1LL;
paloaltonetworks_com_libs_common_Warn(storee, fmtb, fmt_16a);
err_1 = os_MkdirAll((string)s->path, 0644u);
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
A PSA since there's some confusion on this...
There is no vulnerability in Gorilla Sessions.
The vulnerability is in Palo Alto's internal SessDiskStore, which looks similar to FilesystemStore. Early analysis came to the mistaken conclusion that the vulnerable path was in FilesystemStore, but it's not. FilesystemStore authenticates the Session.ID with securecookie, SessDiskStore does not.
Hypothetically, if an application went out of their way to misuse FilesystemStore by not using its New API and stuffing attacker-controlled data in Session.ID (which is documented as not being safe), they could hit this.
That's *not* what happened to Palo Alto. They wrote their own Store that takes the session ID from a cookie in New without authentication.