GHSA-6xv5-86q9-7xr8: 
vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-6xv5-86q9-7xr8) was discovered in github.com/cyphar/filepath-securejoin affecting versions prior to 0.2.4. The vulnerability was discovered by Paulo Gomes (@pjbgf) and disclosed on September 6, 2023. The issue specifically affects Windows users of the package, where certain combinations of rootfs and path parameters could lead to path traversal issues (GitHub Advisory).

The vulnerability occurs when a malicious Unix-style /-separated unsafe path is used with a Windows-style rootfs path, which could result in generated paths that exist outside of the provided rootfs. The issue stems from improper handling of volume names in Windows paths, where the main logic was not correctly accounting for the Volume name in path processing (GitHub Commit).

When exploited, this vulnerability could allow an attacker to generate paths that exist outside of the intended root filesystem directory on Windows systems. While the practical impact on real users was unclear, the severity of potential unauthorized file system access led to an emergency patch release (GitHub Release).

The issue has been patched in version 0.2.4 of the package. As a workaround, users can apply filepath.FromSlash() on all unsafe paths before passing them to filepath-securejoin. The fix was implemented in commit c121231e1276e11049547bee5ce68d5a2cfe2d9b (GitHub PR).