Golang Snippet #11
This challenge covers the review of a snippet of code written in Golang
The Code Review Snippet challenges provide a small snippet of vulnerable Golang code for you to analyze. Your task is to identify the security issue without initially watching the video. If you cannot find the issue or want to confirm your findings, the video offers a detailed explanation.
In this particular snippet, the handler function processes an HTTP request and calls a filter function to check for directory traversal characters ("..") in the URL query parameters. However, the serveFile function uses the path from the form values, which can differ from the URL query parameters. This discrepancy allows an attacker to bypass the filter by placing non-malicious content in the URL and malicious content in the form body, leading to a security vulnerability.