[GODRIVER-2780] Potential File Inclusion Vulnerability in Logging Created: 20/Mar/23  Updated: 27/Mar/23  Resolved: 27/Mar/23

Status: Closed
Project: Go Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Unknown
Reporter: Preston Vasquez Assignee: Unassigned
Resolution: Cannot Reproduce Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Documentation Changes Summary:

1. What would you like to communicate to the user about this feature?
2. Would you like the user to see examples of the syntax and/or executable code and its output?
3. Which versions of the driver/connector does this apply to?


 Description   

A user can log to a file using the "MONGODB_LOG_PATH" which uses the os.OpenFile API, code here. The might be susceptible to a G304 vulnerability. I.e., "an attacker who could change [the filepath variable] to hold unauthorised file paths from the system. In this way, it is possible to exfiltrate confidential information or such."

There may not be a way to resolve this without hardcoding a "safe path," which is not possible for this use case. Using the guidelines from the G304 link above, it might be good to at least use filepath.Clean to sanitize the MONGODB_LOG_PATH" and, perhaps, ensure the output file have the ".log" extension.


Generated at Thu Feb 08 08:39:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.