Traversal-resistant file APIs (The Go Blog) [LWN.net]

Damien Neil has written an article for the Go Blog about path traversal vulnerabilities and the os.Root API added in Go 1.24 to help prevent them.

Root permits relative path components and symlinks that do not escape the root. For example, root.Open("a/../b") is permitted. Filenames are resolved using the semantics of the local platform: On Unix systems, this will follow any symlink in "a" (so long as that link does not escape the root); while on Windows systems this will open "b" (even if "a" does not exist).

to post comments

RESOLVE_BENEATH

Posted Mar 13, 2025 13:01 UTC (Thu) by make (subscriber, #62794) [Link] (1 responses)

There's RESOLVE_BENEATH for the openat2() system call on Linux. It's a good solution to a common problem.

RESOLVE_BENEATH

Posted Mar 18, 2025 6:46 UTC (Tue) by jamesh (guest, #1159) [Link]

There's a fair bit of discussion of RESOLVE_BENEATH and some of the other openat2 modes in Go bug #67002. It looks like the Go 1.24 implementation is just plain openat and manual following of symlinks:

The implementation in 1.24 will support all our ports (with the caveats mentioned above for GOOS=js and GOOS=plan9), but not does not take advantage of platform-specific features such as Linux's RESOLVE_BENEATH and Darwin's O_NOFOLLOW_ANY which allow for a more efficient implementation. That will also be a task for 1.25.