Headline
CVE-2022-1992: pathutil: check both styles of `os.PathSeparator` (#7020) · gogs/gogs@2ca0142
Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.
@@ -12,38 +12,69 @@ import (
func TestClean(t *testing.T) { tests := []struct { path string expVal string path string wantVal string }{ { path: "…/…/…/readme.txt", expVal: "readme.txt", path: "…/…/…/readme.txt", wantVal: "readme.txt", }, { path: "a/…/…/…/readme.txt", expVal: "readme.txt", path: "a/…/…/…/readme.txt", wantVal: "readme.txt", }, { path: "/…/a/b/…/c/…/readme.txt", expVal: "a/readme.txt", path: "/…/a/b/…/c/…/readme.txt", wantVal: "a/readme.txt", }, { path: "/a/readme.txt", expVal: "a/readme.txt", path: "/a/readme.txt", wantVal: "a/readme.txt", }, { path: "/", expVal: "", path: "/", wantVal: "", },
{ path: "/a/b/c/readme.txt", expVal: "a/b/c/readme.txt", path: "/a/b/c/readme.txt", wantVal: "a/b/c/readme.txt", },
// Windows-specific { path: `…\…\…\readme.txt`, wantVal: "readme.txt", }, { path: `a\…\…\…\readme.txt`, wantVal: "readme.txt", }, { path: `\…\a\b\…\c\…\readme.txt`, wantVal: "a/readme.txt", }, { path: `\a\readme.txt`, wantVal: "a/readme.txt", }, { path: `…\…\…\…/README.md`, wantVal: "README.md", }, { path: `\`, wantVal: "", },
{ path: `\a\b\c\readme.txt`, wantVal: `a/b/c/readme.txt`, }, } for _, test := range tests { t.Run("", func(t *testing.T) { assert.Equal(t, test.expVal, Clean(test.path)) t.Run(test.path, func(t *testing.T) { assert.Equal(t, test.wantVal, Clean(test.path)) }) } }
Related news
### Impact The malicious user is able to delete and upload arbitrary file(s). All installations on Windows with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) are affected. ### Patches Path cleaning has accommodated for Windows. Users should upgrade to 0.12.9 or the latest 0.13.0+dev. ### Workarounds N/A ### References https://huntr.dev/bounties/2e8cdc57-a9cf-46ae-9088-87f09e6c90ab/ ### For more information If you have any questions or comments about this advisory, please post on #7001.