Good morning, I'd like to follow up on the below email and whether the code that was flagged as a security issue will be looked into and fixed.
I looked around at how another Go library<https://github.com/go-aah/aah> fixed the issue, and this function<https://pkg.go.dev/path#example-Clean> may help From: Marco Arboleda Sent: Tuesday, December 6, 2022 2:32 PM To: golang-nuts@googlegroups.com Subject: glog - Security Vulnerability Report Good afternoon, My company is using the glog library<https://github.com/golang/glog> as a dependency in some of our code. However, one of my pipelines for a project I'm working on started failing today. It was due to a security issue flagged by our static code analysis tool. The relevant lines of code were lines 117 & 118 in glog_file.go<https://github.com/golang/glog/blob/master/glog_file.go#L117-L118> of the glog package. Could someone take a look at this and look into fixing the security vulnerability? Here are some more details about the security issue: Unsanitized input from a CLI argument flows into os.Remove, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to delete arbitrary files. Found in: vendor/github.com/golang/glog/glog_file.go (line : 117) Unsanitized input from a CLI argument flows into os.Symlink, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to create arbitrary symlinks. Found in: vendor/github.com/golang/glog/glog_file.go (line : 118) And here's an article I found about the security issue in more detail (code CWE-23): https://cwe.mitre.org/data/definitions/23.html Marco Arboleda | Developer 1 Applied Systems Canada marbol...@appliedsystems.com<mailto:marbol...@appliedsystems.com> 24/7 Customer Support: 800.617.4666 |supp...@appliedsystems.com<mailto:supp...@appliedsystems.com> [Applied Net 2022]<https://www1.appliedsystems.com/en-ca/resources/ebooks-guides-infographics/driving-innovation-in-the-digital-ecosystem-of-insurance/?utm_campaign=&utm_medium=Email&utm_source=&utm_content=Report> This message is for the designated recipient only and may contain confidential, proprietary, or otherwise private information. If you have received this message in error, please notify the sender immediately and delete the original. Any other use or distribution of this information is prohibited. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/BN0PR10MB51442A1E96FA22371B80C1B9D91D9%40BN0PR10MB5144.namprd10.prod.outlook.com.
