FilesystemStore is vulnerable to directory traversal attacks

[neild]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I'm filing this a public issue, since it has already been disclosed elsewhere.

FilesystemStore uses an unsanitized Session.ID when constructing filenames. The documentation for Session states that ID "should not be used for user data", but I don't see anything in the documentation stating that IDs must not contain path traversal characters.

Path traversal in FilesystemStore is a component of CVE-2024-3400 in Palo Alto VPN (https://unit42.paloaltonetworks.com/cve-2024-3400/), an actively-exploited remote code execution attack. While this presumably stems from a misuse of the Session API, in which attacker-controlled data was used as a Session.ID, this demonstrates that lack of sanitization is quite hazardous.

The Go Vulnerability Database has assigned this the ID https://pkg.go.dev/vuln/GO-2024-2730.

Expected Behavior

No response

Steps To Reproduce

No response

Anything else?

No response

[mlec1]

I think it has been fixed in this MR

#274

[jaitaiwan]

That's correc thanks @mlec1