Chapter 3: Remote code execution vulnerability

[mtlynch]

Chapter 3 features a directory traversal vulnerability, which, combined with #78 leads to remote code execution.

The vulnerability is on this line:

goblueprints/chapter3/chat/upload.go

Line 23 in aae50b4

filename := path.Join("avatars", userID+path.Ext(header.Filename))

Both userID and header.Filename are attacker-controlled values, so if the attacker uploads a malicious binary and specifies a userid value of ../chat and a filename of foo, the resulting filename is chat, which causes the next line to overwrite the chat server binary with arbitrary attacker-controlled code.

goblueprints/chapter3/chat/upload.go

Line 24 in aae50b4

err = ioutil.WriteFile(filename, data, 0777)

The next time the server restarts, it will execute attacker controlled code.

This vulnerability also allows the attacker to overwrite any file on the system as long as the user executing the chat server has write access to those files.

Recommended fix

You can prevent directory traversal by verifying that the userid parameter doesn't contain any path traversal characters. In other words, if the basename is the same as the string:

userID := req.FormValue("userid")
if userID != filepath.Base(userID) {
	http.Error(w, "userid contains illegal file path characters", http.StatusBadRequest)
	return
}