GO
Sandbox filesystem access to a directory with os.Root (Go 1.24)
internal/upload/store.go
goroot, err := os.OpenRoot("/srv/uploads")
if err != nil {
return err
}
defer root.Close()
// userPath comes from the request — cannot escape /srv/uploads,
// even with "../" or an absolute path or a symlink out of the dir.
f, err := root.Open(userPath)`os.Root` (Go 1.24) confines all file operations to a directory: `Open`, `Create`, `Stat`, and friends resolve relative to the root and refuse to escape it, including via `..`, absolute paths, or symlinks pointing outside. For anything touching user-supplied paths — uploads, archive extraction, template loading — this closes off path-traversal attacks at the syscall boundary instead of relying on fragile manual `filepath.Clean` checks that are easy to get subtly wrong.
go1.24filesystemsecuritypath-traversal
source:pkg.go.dev/os