With the base path /app:
RealPath("../secret") // not found error, secure
RealPath("../app-secret") // ok, not secureif !strings.HasPrefix(path, bpath) { - that's the issue, we shouldn't check it like that.
https://github.com/spf13/afero/blob/master/basepath.go#L53-L65
We can use filepath.IsLocal, filepath.Rel or similar methods instead of prefix check.
I drafted a PR, but unfortunately the tests use a TempDir call which adds random postfixes to created folders and thus preventing the attack.
With the base path
/app:if !strings.HasPrefix(path, bpath) {- that's the issue, we shouldn't check it like that.https://github.com/spf13/afero/blob/master/basepath.go#L53-L65
We can use
filepath.IsLocal,filepath.Relor similar methods instead of prefix check.I drafted a PR, but unfortunately the tests use a
TempDircall which adds random postfixes to created folders and thus preventing the attack.