This latest writeup by @joern mentions the #documentation of Go’s filepath.Clean is “not really obvious” when dealing with relative paths.
I think this is something all #golang devs should be aware of to avoid similar vulnerabilities.
The language is kind of amazing:
This makes the docs technically correct (“the best kind of correct!”), but even with the solution at hand it took some head scratching to figure out the true meaning.