Expected Findings
- User-supplied filename is joined into a base path without normalization.
- `..` segments escape the upload directory.
- URL-encoded variants and double-encoding are both honored.
File Download
Download Path Traversal
The download endpoint joins the `file` parameter into a base directory without normalization, letting `../` segments read arbitrary host files.
CWE-22CWE-200
Download probe
Primary Flows
- POSIX traversal Reads /etc/passwd
- Double-encoded Sanitizer is bypassed
Signals
Code
os.Open(filepath.Join("/srv/uploads/", req.URL.Query().Get("file")))