Zip Slip in Echo Go with Bearer Tokens
Zip Slip in Echo Go with Bearer Tokens — how this specific combination creates or exposes the vulnerability
Zip Slip is a path traversal vulnerability that occurs when an application constructs file paths using user-supplied input without proper validation. In the Echo Go framework, this risk is amplified when Bearer Tokens are handled in request headers and used to influence file operations. An attacker can supply a malicious path such as ../../../etc/passwd alongside a Bearer Token in the Authorization header, and if the token is logged, stored, or used to derive a file location, the resolved path may escape the intended directory. For example, a handler that uses the token to name a downloaded file or a temporary directory can be tricked into writing outside the allowed location, leading to unauthorized file access or overwrite.
Consider an Echo Go route that retrieves a Bearer Token from the header and appends it to a base directory to store user-specific artifacts:
const baseDir = "/var/app/uploads"
func handler(c echo.Context) error {
token := c.Request().Header.Get("Authorization")
if token == "" {
return echo.NewHTTPError(http.StatusUnauthorized, "missing token")
}
// Assume token is used as a subdirectory name
userDir := filepath.Join(baseDir, token)
f, err := os.Create(filepath.Join(userDir, "data.bin"))
if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
}
defer f.Close()
return c.JSON(map[string]string{"status": "ok"})
}
If the token contains path traversal sequences, filepath.Join may not sanitize them correctly, allowing an attacker to control the final path. This becomes a Zip Slip vector when the token is later used in archive extraction routines, where malicious filenames inside a zip archive can traverse directories. The combination of Bearer Tokens and file system operations in Echo Go requires strict validation of the token value and canonicalization of paths before any file creation or extraction.
Additionally, logging or returning the Bearer Token in error messages can aid an attacker in refining traversal patterns. Echo Go middleware that captures request details must ensure tokens are masked or omitted from logs. Without these safeguards, an API endpoint that accepts Bearer Tokens and performs file operations remains vulnerable to path manipulation, data exposure, and potential compromise of server-side resources.
Bearer Tokens-Specific Remediation in Echo Go — concrete code fixes
Remediation focuses on validating and sanitizing Bearer Tokens before using them in file paths, and avoiding direct concatenation with user input. Always treat the Authorization header as untrusted. Use a whitelist or strict pattern to validate token format, and store tokens in a secure, non-file-based context (e.g., in-memory session stores) rather than as filesystem identifiers.
Below is a secure Echo Go handler that avoids path traversal by not using the token as a directory name. Instead, a deterministic user ID derived from authentication (not the raw token) is used for file operations:
const baseDir = "/var/app/uploads"
func secureHandler(c echo.Context) error {
auth := c.Request().Header.Get("Authorization")
if auth == "" || !strings.HasPrefix(auth, "Bearer ") {
return echo.NewHTTPError(http.StatusUnauthorized, "invalid authorization header")
}
token := strings.TrimPrefix(auth, "Bearer ")
// Validate token format (e.g., JWT pattern) without relying on its value for paths
if !regexp.MustCompile(`^[A-Za-z0-9\-_=]+\.[A-Za-z0-9\-_=]+\.?[A-Za-z0-9\-_.+/=]*$`).MatchString(token) {
return echo.NewHTTPError(http.StatusBadRequest, "malformed token")
}
// Derive a safe user identifier from authenticated context, not raw token
userID := getAuthenticatedUserID(c) // e.g., from JWT claims
userDir := filepath.Join(baseDir, userID)
if err := os.MkdirAll(userDir, 0750); err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
}
f, err := os.Create(filepath.Join(userDir, "data.bin"))
if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
}
defer f.Close()
return c.JSON(map[string]string{"status": "ok"})
}
When integrating with authentication middleware, ensure the Bearer Token is verified and claims are extracted before routing. The following example uses a JWT middleware to set a user ID in the context, which is then safely used for file paths:
func withAuth(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
auth := c.Request().Header.Get("Authorization")
if auth == "" || !strings.HasPrefix(auth, "Bearer ") {
return echo.NewHTTPError(http.StatusUnauthorized)
}
tokenStr := strings.TrimPrefix(auth, "Bearer ")
claims := &CustomClaims{}
token, err := jwt.ParseWithClaims(tokenStr, claims, func(token *jwt.Token) (interface{}, error) {
return []byte(os.Getenv("JWT_SECRET")), nil
})
if err != nil || !token.Valid {
return echo.NewHTTPError(http.StatusUnauthorized)
}
c.Set("user_id", claims.UserID)
return next(c)
}
}
func handler(c echo.Context) error {
userID, ok := c.Get("user_id").(string)
if !ok {
return echo.NewHTTPError(http.StatusUnauthorized)
}
userDir := filepath.Join(baseDir, userID)
f, err := os.Create(filepath.Join(userDir, "data.bin"))
if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
}
defer f.Close()
return c.JSON(map[string]string{"status": "ok"})
}
Additional remediation steps include:
- Avoid using Bearer Tokens directly in file or directory names; use mapping to internal IDs.
- Canonicalize paths with
filepath.Cleanand enforce that resolved paths remain within a defined base directory. - Mask Bearer Tokens in logs and error responses to prevent leakage through side channels.
- Apply the principle of least privilege to the filesystem permissions of upload directories.