Summary

Prevent path traversal in FileTokenStore.getSessionFile by validating the session token contains only UUID-safe characters before using it in file path construction.

Problem

getSessionFile constructs a file path directly from the user-supplied session token:

func (f *FileTokenStore) getSessionFile(token string) string {
    return filepath.Join(f.root, filepath.Clean(sessionPrefix+token))
}

A crafted token containing path traversal sequences (e.g., /../../../etc/passwd) can escape the sessions directory:

1. Token: /../../../etc/passwd
2. filepath.Clean("s_" + "/../../../etc/passwd") resolves to ../../etc/passwd
3. filepath.Join(root, "../../etc/passwd") traverses outside the sessions directory

This allows:

• Information disclosure: os.Stat in readFile reveals whether arbitrary files exist and their modification time
• File creation: writeFile with os.O_CREATE could create files at arbitrary paths
• Session validation bypass: If an existing file passes the expiration check and happens to be valid gob-encoded data

Fix

Validate that the token contains only UUID-safe characters (a-f, 0-9, -) before constructing the file path. Tokens with any other characters are mapped to a safe invalid path.

for _, c := range token {
    if !((c >= 'a' && c <= 'f') || (c >= '0' && c <= '9') || c == '-') {
        return filepath.Join(f.root, sessionPrefix+"invalid")
    }
}

This is defense-in-depth — it ensures that even if token validation is relaxed elsewhere, the file store cannot be used for path traversal.

Impact

• Type: Path Traversal (CWE-22)
• Affected function: server.FileTokenStore.getSessionFile
• Risk: Arbitrary file existence disclosure, potential file creation outside sessions directory