Skip to content

document relation to Go 1.24's os.Root APIs #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aktau opened this issue Apr 1, 2025 · 1 comment
Open

document relation to Go 1.24's os.Root APIs #2

aktau opened this issue Apr 1, 2025 · 1 comment

Comments

@aktau
Copy link

aktau commented Apr 1, 2025

Go 1.24 introduces the os.Root family of file APIs: https://go.dev/blog/osroot (cc @neild). These APIs are resistant to path traversal.

If I'm understanding things correctly, this is a replacement for safeopen. It may be a good idea to:

  1. Recommend users who can use Go 1.24+ to use os.Root instead of safeopen.
  2. Reimplement safeopen on top of os.Root.
  3. Deprecate (or mark with inline me annotations) the safeopen functions to users can migrate once Go 1.24 is two releases old.
@neild
Copy link

neild commented Apr 1, 2025

A few notes on safeopen vs. os.Root:

  • os.Root supports a few more platforms than safeopen. (Notably GOOS=wasip1, probably less notably GOOS=plan9.)
  • os.Root doesn't use openat2/RESOLVE_BENEATH yet (hopefully it will in Go 1.25) and will be less efficient than safeopen when openat2 is available.
  • os.Root tries quite hard to preserve platform path semantics: For example, on Unix a/../b follows (non-escaping) symlinks in a. I believe safeopen rejects paths containing .. components. (From a quick look, safeopen also rejects symlinks entirely on systems that don't have openat2/RESOLVE_BENEATH?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@neild @aktau