Uploaded image for project: 'Go Driver'
  1. Go Driver
  2. GODRIVER-2780

Potential File Inclusion Vulnerability in Logging

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Cannot Reproduce
    • Icon: Unknown Unknown
    • None
    • None
    • None
    • None
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?

    Description

      A user can log to a file using the "MONGODB_LOG_PATH" which uses the os.OpenFile API, code here. The might be susceptible to a G304 vulnerability. I.e., "an attacker who could change [the filepath variable] to hold unauthorised file paths from the system. In this way, it is possible to exfiltrate confidential information or such."

      There may not be a way to resolve this without hardcoding a "safe path," which is not possible for this use case. Using the guidelines from the G304 link above, it might be good to at least use filepath.Clean to sanitize the MONGODB_LOG_PATH" and, perhaps, ensure the output file have the ".log" extension.

      Attachments

        Activity

          People

            Unassigned Unassigned
            preston.vasquez@mongodb.com Preston Vasquez
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: