glog - Security Vulnerability Report
Marco Arboleda
Good afternoon,
My company is using the glog library as a dependency in some of our code.
However, one of my pipelines for a project I’m working on started failing today. It was due to a security issue flagged by our static code analysis tool.
The relevant lines of code were lines 117 & 118 in glog_file.go of the glog package.
Could someone take a look at this and look into fixing the security vulnerability?
Here are some more details about the security issue:
Unsanitized input from a CLI argument flows into os.Remove, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to delete arbitrary files.
Found in: vendor/github.com/golang/glog/glog_file.go (line : 117)
Unsanitized input from a CLI argument flows into os.Symlink, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to create arbitrary symlinks.
Found in: vendor/github.com/golang/glog/glog_file.go (line : 118)
And here’s an article I found about the security issue in more detail (code CWE-23): https://cwe.mitre.org/data/definitions/23.html
Marco Arboleda | Developer 1
Applied Systems Canada
24/7 Customer Support: 800.617.4666 |sup...@appliedsystems.com
This message is for the designated recipient only and may contain confidential, proprietary, or
otherwise private information. If you have received this message in error, please notify the sender
immediately and delete the original. Any other use or distribution of this information is prohibited.
peterGo
Marco Arboleda
Good morning,
I’d like to follow up on the below email and whether the code that was flagged as a security issue will be looked into and fixed.
I looked around at how another Go library fixed the issue, and this function may help