Both the at (systems that implement openat, unlinkat etc) and the noat implementations of os.RemoveAll are susceptible to a TOCTOU symlink race, where a directory can be replaced with a symlink between being stat'd and open'd. This can be used to 'trick' the program into deleting things it does not expect to delete. This is a minor security issue, but has relatively limited impact because it requires a multi-user system where an attacker is able to create symlinks, a program which will call os.RemoveAll on an attacker writable tree.

This is due to O_NOFOLLOW not being passed to openat/open on Unix systems, and FILE_FLAG_OPEN_REPARSE_POINT not being passed to CreateFileW on Windows. On Unix systems the fix is extremely simple, but on Windows it requires some changes to the Windows syscalls, since the flags passed to CreateFileW are fixed and cannot be altered by the caller currently.

Comment From: gopherbot

Change https://go.dev/cl/588495 mentions this issue: os: RemoveAll: don't stat before open dir

Comment From: rolandshoemaker

@gopherbot please open backport issues for this, it's a security hardening issue which fixes a long running TOCTOU race.

Comment From: gopherbot

Backport issue(s) opened: #67695 (for 1.21), #67696 (for 1.22).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

Comment From: rolandshoemaker

The Unix-likes (everything wtih openat) is basically fixed now, but we still need to do the same thing for Windows. We'll try to get that done such that we can backport it into the 1.24 release once that happens so that all implementations are aligned.

Comment From: gopherbot

Change https://go.dev/cl/629698 mentions this issue: os: add Root.RemoveAll, avoid symlink race in RemoveAll on Windows

Comment From: gopherbot

Change https://go.dev/cl/630337 mentions this issue: os: avoid symlink race in RemoveAll on Windows

Comment From: gopherbot

Change https://go.dev/cl/661575 mentions this issue: os: avoid symlink races in RemoveAll on Windows