goshs SFTP Root Escape Vulnerability Allowing Unauthorized File Access and Modification

A path traversal vulnerability has been identified in goshs, a SimpleHTTPServer written in Go, prior to version 2.0.0-beta.6. This vulnerability allows authenticated SFTP users to escape the designated SFTP root directory and access or modify files outside of it. The issue arises from prefix-based path validation that fails to properly enforce directory boundaries, enabling users to read from and write to unrelated server files. The vulnerability is present in versions through 2.0.0-beta.5.

Impact

Exploitation of this vulnerability allows authenticated SFTP users to break out of the configured root directory, accessing sibling filesystem paths that should not be exposed. This can result in unauthorized file disclosure, arbitrary file uploads outside the designated root, unwanted directory creation, overwriting of sensitive files, or deletion of data, depending on the reachable path and server permissions.

Reproduction

The vulnerability can be reproduced by setting up a goshs server with a specified SFTP root directory. After uploading a file to a sibling directory outside the configured root, the SFTP client can access this file, demonstrating the root escape. Additionally, files can be written to paths outside the designated root, further illustrating the vulnerability.

Remediation

To address this vulnerability, it is recommended to replace the raw prefix check with a proper directory-boundary validation, ensuring that the SFTP root is correctly enforced. Reusing a hardened HTTP-style path sanitizer for SFTP file operations can also help maintain consistent boundary logic across different file-serving modes.