This latest writeup by @joern mentions the #documentation of Go’s filepath.Clean is “not really obvious” when dealing with relative paths.
I think this is something all #golang devs should be aware of to avoid similar vulnerabilities.
The language is kind of amazing:
This makes the docs technically correct (“the best kind of correct!”), but even with the solution at hand it took some head scratching to figure out the true meaning.
@buherator @joern Half-jokingly, we need this in our lives: https://gitlab.com/mjg59/linux/-/commit/13cd6ec5e0e99124dd730156a4d921b20f192e2d