Please follow the Go Security Policy: https://go.dev/security/policy
All security bugs in the Go distribution should be reported by email to secur...@golang.org. This mail is delivered to the Go Security team. On Tuesday, December 6, 2022 at 6:44:37 PM UTC-5 Marco Arboleda wrote: > Good afternoon, > > > > My company is using the glog library <https://github.com/golang/glog> as > a dependency in some of our code. > > > > However, one of my pipelines for a project I’m working on started failing > today. It was due to a security issue flagged by our static code analysis > tool. > > The relevant lines of code were lines 117 & 118 in glog_file.go > <https://github.com/golang/glog/blob/master/glog_file.go#L117-L118> of > the glog package. > > > > Could someone take a look at this and look into fixing the security > vulnerability? > > > > Here are some more details about the security issue: > > > > Unsanitized input from a CLI argument flows into os.Remove, where it is > used as a path. This may result in a Path Traversal vulnerability and allow > an attacker to delete arbitrary files. > > Found in: *vendor/github.com/golang/glog/glog_file.go > <http://github.com/golang/glog/glog_file.go> (line : 117)* > > > > Unsanitized input from a CLI argument flows into os.Symlink, where it is > used as a path. This may result in a Path Traversal vulnerability and allow > an attacker to create arbitrary symlinks. > > Found in: *vendor/github.com/golang/glog/glog_file.go > <http://github.com/golang/glog/glog_file.go> (line : 118)* > > > > And here’s an article I found about the security issue in more detail > (code CWE-23): https://cwe.mitre.org/data/definitions/23.html > > > > Marco Arboleda | Developer 1 > > Applied Systems Canada > > *marb...@appliedsystems.com* > > 24/7 Customer Support: 800.617.4666 <(800)%20617-4666> | > *sup...@appliedsystems.com* > > [image: Applied Net 2022] > <https://www1.appliedsystems.com/en-ca/resources/ebooks-guides-infographics/driving-innovation-in-the-digital-ecosystem-of-insurance/?utm_campaign=&utm_medium=Email&utm_source=&utm_content=Report> > > > > *This message is for the designated recipient only and may contain > confidential, proprietary, or otherwise private information. If you have > received this message in error, please notify the sender immediately and > delete the original. Any other use or distribution of this information is > prohibited.* > > > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/4af2245f-121b-46c0-9abb-7f826c4fe7c0n%40googlegroups.com.
