securejoin

0.2.5 Opens a new window with list of versions in this module.

Proposed filepath.SecureJoin implementation For more information about how to use this package see README

Latest version published 3 days ago

GitHub

Package Health Score

79 / 100

security
No known security issues
popularity
Recognized
maintenance
Sustainable
community
Sustainable

Popularity

Recognized

Imported By: 526
GitHub Stars: 80
Forks: 17
Contributors: 5

Usage Popularity

Based on project statistics from the GitHub repository for the Golang package securejoin, we found that it has been 80 times.

The popularity score for Golang modules is calculated based on the number of stars that the project has on GitHub as well as the number of imports by other modules.

Security

No known security issues

Security risks

Direct Vulnerabilities: 0
C
0
H
0
M
0
L

Indirect Vulnerabilities: Check with Snyk

Release Date

May 3, 2024

License

BSD-3-Clause

Security Policy

We found a way for you to contribute to the project! Looks like securejoin is missing a security policy.

You can connect your project's repository to Snyk to stay up to date on security alerts and receive automatic fix pull requests.

Keep your project free of vulnerabilities with Snyk

Maintenance

Sustainable

Commit Frequency

Open Issues: 1
Open PR: 0
Last Release: 3 days ago
Last Commit: 8 months ago

Further analysis of the maintenance status of github.com/cyphar/filepath-securejoin based on released golang versions cadence, the repository activity, and other data points determined that its maintenance is Sustainable.

We found that github.com/cyphar/filepath-securejoin demonstrates a positive version release cadence with at least one new version released in the past 3 months.

In the past month we didn't find any pull request activity or change in issues status has been detected for the GitHub repository.

Community

Sustainable

Readme.md: Yes
Contributing.md: No
Code of Conduct: No
Contributors: 5
Funding: No

This project has seen only 10 or less contributors.

We found a way for you to contribute to the project! Looks like github.com/cyphar/filepath-securejoin is missing a Code of Conduct.

Embed Package Health Score Badge

Keep your project healthy

Check your go.mod

Ensure all the packages you're using are healthy and well-maintained

Readme

`filepath-securejoin`

An implementation of SecureJoin, a candidate for inclusion in the Go standard library. The purpose of this function is to be a "secure" alternative to filepath.Join, and in particular it provides certain guarantees that are not provided by filepath.Join.

> NOTE: This code is only safe if you are not at risk of other processes > modifying path components after you've used SecureJoin. If it is possible > for a malicious process to modify path components of the resolved path, then > you will be vulnerable to some fairly trivial TOCTOU race conditions. There > are some Linux kernel patches I'm working on which might allow for a better > solution. > > In addition, with a slightly modified API it might be possible to use > O_PATH and verify that the opened path is actually the resolved one -- but > I have not done that yet. I might add it in the future as a helper function > to help users verify the path (we can't just return /proc/self/fd/ > because that doesn't always work transparently for all users).

This is the function prototype:

func SecureJoin(root, unsafePath string) (string, error)

This library guarantees the following:

If no error is set, the resulting string must be a child path of root and will not contain any symlink path components (they will all be expanded).
When expanding symlinks, all symlink path components must be resolved relative to the provided root. In particular, this can be considered a userspace implementation of how chroot(2) operates on file paths. Note that these symlinks will not be expanded lexically (filepath.Clean is not called on the input before processing).
Non-existent path components are unaffected by SecureJoin (similar to filepath.EvalSymlinks's semantics).
The returned path will always be filepath.Cleaned and thus not contain any .. components.

A (trivial) implementation of this function on GNU/Linux systems could be done with the following (note that this requires root privileges and is far more opaque than the implementation in this library, and also requires that readlink is inside the root path):

package securejoin

import (
	"os/exec"
	"path/filepath"
)

func SecureJoin(root, unsafePath string) (string, error) {
	unsafePath = string(filepath.Separator) + unsafePath
	cmd := exec.Command("chroot", root,
		"readlink", "--canonicalize-missing", "--no-newline", unsafePath)
	output, err := cmd.CombinedOutput()
	if err != nil {
		return "", err
	}
	expanded := string(output)
	return filepath.Join(root, expanded), nil
}

License

The license of this project is the same as Go, which is a BSD 3-clause license available in the LICENSE file.

FAQs

What is securejoin?

Proposed filepath.SecureJoin implementation. Visit Snyk Advisor to see a full health score report for securejoin, including popularity, security, maintenance & community analysis.

Is securejoin popular?

The golang package securejoin receives a total of ? weekly downloads. As such, securejoin popularity was classified as a recognized. Visit the popularity section on Snyk Advisor to see the full health analysis.

Is securejoin well maintained?

We found indications that securejoin maintenance is sustainable demonstrating some project activity. We saw a total of 5 open source contributors collaborating on the project. See the full package health analysis to learn more about the package maintenance status.

Is securejoin safe to use?

The golang package securejoin was scanned for known vulnerabilities and missing license, and no issues were found. Thus the package was deemed as safe to use. See the full health analysis review.

Last updated on 6 May-2024, at 06:44 (UTC).

Build a secure application checklist

Select a recommended open source package

Minimize your risk by selecting secure & well maintained open source packages

DONE

Scan your app for vulnerabilities

Scan your application to find vulnerabilities in your: source code, open source dependencies, containers and configuration files

SCAN NOW

Fix identified vulnerabilities

Easily fix your code by leveraging automatically generated PRs

AUTO FIX

Monitor for new issues

New vulnerabilities are discovered every day. Get notified if your application is affected

MONITOR APP

Package Health Score

Usage Popularity

Security risks

Commit Frequency

Embed Package Health Score Badge

Keep your project healthy

Check your go.mod

Readme

filepath-securejoin

License

FAQs

What is securejoin?

Is securejoin popular?

Is securejoin well maintained?

Is securejoin safe to use?

Build a secure application checklist

Select a recommended open source package

Scan your app for vulnerabilities

Source Code

Open Source

Container

Config

Fix identified vulnerabilities

Monitor for new issues

`filepath-securejoin`