|
A user can log to a file using the "MONGODB_LOG_PATH" which uses the os.OpenFile API, code here. The might be susceptible to a G304 vulnerability. I.e., "an attacker who could change [the filepath variable] to hold unauthorised file paths from the system. In this way, it is possible to exfiltrate confidential information or such."
There may not be a way to resolve this without hardcoding a "safe path," which is not possible for this use case. Using the guidelines from the G304 link above, it might be good to at least use filepath.Clean to sanitize the MONGODB_LOG_PATH" and, perhaps, ensure the output file have the ".log" extension.
|