SecureJoin: on windows, paths outside of the rootfs could be inadvertently produced

Overview

Source
ID
GHSA-6xv5-86q9-7xr8
Aliases
GO-2023-2048
Affected package

Description

### Impact For Windows users of `github.com/cyphar/filepath-securejoin`, until v0.2.4 it was possible for certain rootfs and path combinations (in particular, where a malicious Unix-style `/`-separated unsafe path was used with a Windows-style rootfs path) to result in generated paths that were outside of the provided rootfs.

It is unclear to what extent this has a practical impact on real users, but given the possible severity of the issue we have released an emergency patch release that resolves this issue.

Thanks to @pjbgf for discovering, debugging, and fixing this issue (as well as writing some tests for it).

### Patches c121231e1276e11049547bee5ce68d5a2cfe2d9b is the patch fixing this issue. v0.2.4 contains the fix.

### Workarounds Users could use `filepath.FromSlash()` on all unsafe paths before passing them to `filepath-securejoin`.

### References See #9.

Impact

Severity
Latest version of the CVSS score reported by the source of the advisory.
MODERATE
Reference links

Summary

2.05k
Total packages affected
Packages with at least one version that is affected by the advisory or has an affected dependency.
606
Packages with a known fix
Packages with versions affected by the advisory that have a greater version that is not affected.
0.15%
Total ecosystem affected
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
github.com/cyphar/filepath-securejoin
Affected Version: Introduced: 0, Fixed: 0.2.4
Patched/Unaffected
v0.2.4
v0.2.5
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.4.0
v0.4.1
v0.4.2-0.19700101000000-f277210982c5
Affected
v0.2.3
v0.2.3-0.20190205144030-7efe413b52e1
v0.2.3-0.20180917084801-7be40bd7da2b
v0.2.2
v0.2.2-0.20170720062807-ae69057f2299
v0.2.1
v0.2.0
v0.1.0