Categorygithub.com/google/safeopen
modulepackage
0.0.0-20240125081138-66b54d5181c6
Repository: https://github.com/google/safeopen.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
7
Dependents
4
Files
225 SLOC

# README

safeopen

This is not an officially supported Google product.

Safe-by-construction library with file open/create primitives for Golang that are not vulnerable to path traversal attacks. The library supports Unix and Windows systems. OS native safe primitives are leveraged where available (e.g. openat2 + RESOLVE_BENEATH). Symbolic links are followed only if there is a safe way to prevent traversal (e.g. on platforms where OS level safe primitives are available), otherwise an error is returned.

Usage

All these library functions expect a base directory as their first parameter. There are two families of API functions, they have the suffix:

  • #1 At: The file to be opened must be directly in the base directory
  • #2 Beneath: The file to be opened must be somewhere underneath the base directory

Example:

    fd, err := safeopen.OpenBeneath("/workdir", filenameFromUserInput)
    if err != nil {
        return fmt.Errorf("unable to open file %v: %v", filenameFromUserInput, err)
    }
  // now do the same what you would with the return value of `os.Open`
  ...

The library also supports replacement functions of os.ReadFile and os.WriteFile. Example:

    data, err := safeopen.ReadFileBeneath("/workdir", filenameFromUserInput)
    if err != nil {
        return fmt.Errorf("unable to open file %v: %v", filenameFromUserInput, err)
    }
  // now you can process data safely
  ...

# Functions

CreateAt creates or truncates the named file in the named directory.
CreateBeneath creates or truncates the named file in the named directory.
OpenAt opens the named file in the named directory for reading.
OpenBeneath opens the named file in the named directory, or a subdirectory, for reading.
OpenFileAt is the generalized OpenAt call; most users will use OpenAt or CreateAt instead.
OpenFileBeneath is the generalized OpenBeneath call; most users will use OpenBeneath or CreateBeneath instead.
ReadFileAt is a replacement of os.ReadFile that leverages safeopen.OpenAt.
ReadFileBeneath is a replacement of os.ReadFile that leverages safeopen.OpenBeneath.
WriteFileAt is a replacement of os.WriteFile that leverages safeopen.CreateAt.
WriteFileBeneath is a replacement of os.WriteFile that leverages safeopen.CreateBeneath.