Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-28105: fix zip.Unzip path traversal vulnerability and add some new file util… · dablelv/go-huge-util@0e308b0

go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use zip.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds.

CVE
#vulnerability#windows#linux#git#ssh

@@ -55,7 +55,7 @@ func ReadLinesV2(path string) ([]string, int, error) { } }
// ListDir lists all the file or dir names in the specified directory. // ListDir lists all the file or directory names in the specified directory. // Note that ListDir don’t traverse recursively. func ListDir(dirname string) ([]string, error) { infos, err := ioutil.ReadDir(dirname) @@ -69,12 +69,12 @@ func ListDir(dirname string) ([]string, error) { return names, nil }
// IsPathExist checks whether a file/dir exists. // IsExist checks whether a file/dir exists. // Use os.Stat to get the info of the target file or dir to check whether exists. // If os.Stat returns nil err, the target exists. // If os.Stat returns a os.ErrNotExist err, the target does not exist. // If the error returned is another type, the target is uncertain whether exists. func IsPathExist(path string) (bool, error) { func IsExist(path string) (bool, error) { _, err := os.Stat(path) if err == nil { return true, nil @@ -123,17 +123,19 @@ func IsFileE(path string) (bool, error) { return false, err }
// IsSymlink checks a file whether is a symbolic link. // IsSymlink checks a file whether is a symbolic link on Linux. // Note that this doesn’t work for the shortcut file on windows. // If you want to check a file whether is a shortcut file on Windows please use IsShortcut function. func IsSymlink(path string) bool { if info, err := os.Lstat(path); err == nil && info.Mode()&os.ModeSymlink != 0 { return true } return false }
// IsSymlinkE checks a file whether is a symbolic link. // IsSymlinkE checks a file whether is a symbolic link on Linux. // Note that this doesn’t work for the shortcut file on windows. // If you want to check a file whether is a shortcut file on Windows please use IsShortcut function. func IsSymlinkE(path string) (bool, error) { info, err := os.Lstat(path) if err == nil && info.Mode()&os.ModeSymlink != 0 { @@ -142,27 +144,37 @@ func IsSymlinkE(path string) (bool, error) { return false, err }
// IsShortcut checks a file whether is a shortcut on Windows. func IsShortcut(path string) bool { ext := filepath.Ext(path) if ext == “.lnk” { return true } return false }
// RemoveFile removes the named file or empty directory. // https://gist.github.com/novalagung/13c5c8f4d30e0c4bff27 // If there is an error, it will be of type *PathError. func RemoveFile(path string) error { err := os.Remove(path) return err return os.Remove(path) }
// Create creates or truncates the target file specified by path. // If the parent directory does not exist, it will be created with mode os.ModePerm.is cr truncated. // If the parent directory does not exist, it will be created with mode os.ModePerm. // If the file does not exist, it is created with mode 0666. // If successful, methods on the returned File can be used for I/O; the associated file descriptor has mode O_RDWR. func Create(filePath string) (*os.File, error) { if exist, err := IsPathExist(filePath); err != nil { // If successful, methods on the returned file can be used for I/O; the associated file descriptor has mode O_RDWR. func Create(path string) (*os.File, error) { exist, err := IsExist(path) if err != nil { return nil, err } else if exist { return os.Create(filePath) } if err := os.MkdirAll(filepath.Dir(filePath), os.ModePerm); err != nil { if exist { return os.Create(path) } if err := os.MkdirAll(filepath.Dir(path), os.ModePerm); err != nil { return nil, err } return os.Create(filePath) return os.Create(path) }
// CreateFile creates a file specified by path. @@ -181,15 +193,16 @@ func FileToBytes(path string) []byte { return byteStream }
// BytesToFile writes data to a file. If the file does not exist it will be created with permission mode 0644. func BytesToFile(filePath string, data []byte) error { exist, _ := IsPathExist(filePath) // BytesToFile writes data to a file. // If the file does not exist it will be created with permission mode 0644. func BytesToFile(path string, data []byte) error { exist, _ := IsExist(path) if !exist { if err := CreateFile(filePath); err != nil { if err := CreateFile(path); err != nil { return err } } return ioutil.WriteFile(filePath, data, 0644) return ioutil.WriteFile(path, data, 0644) }
// GetDirAllEntryPaths gets all the file or dir paths in the specified directory recursively. @@ -260,3 +273,13 @@ func GetDirAllEntryPathsFollowSymlink(dirname string, incl bool) ([]string, erro } return paths, nil }
// ClearFile clears a file content. func ClearFile(path string) error { f, err := os.OpenFile(path, os.O_WRONLY|os.O_TRUNC, 0777) if err != nil { return err } defer f.Close() return nil }

Related news

GHSA-5g39-ppwg-6xx8: Go-huge-util vulnerable to path traversal when unzipping files

Impact ZipSlip issue when use fsutil package to unzip files. When users use zip.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. Patches It has been fixed in v0.0.34, Please upgrade version to v0.0.34 or above. Workarounds No, users have to upgrade version. References

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907