ReadFileBytes panics when a provided path is empty

[ahpaleus]

When the ReadFileBytes function is called with an empty string as the file path (ReadFileBytes("")), it leads to panic because the subsequent call to the expandHomePath function checks if the first character is a tilde. While this issue might not immediately expose a vulnerability, it could cause disruptions in certain scenarios.

To mitigate this, it is recommended to:

• Proactively check for empty paths. To prevent the panic scenario, add an early check at the beginning of the expandHomePath function to ensure the file path is not empty.
• Review the codebase for duplicated code. We detected the presence of duplicate, error-prone ReadFileBytes functions within the go-authcrunch package.
• Implement unit testing. To ensure the correct functionality of these functions, comprehensive unit tests should be created. These tests should cover various scenarios, including valid and invalid file paths.
• Leverage fuzz testing. In addition to unit tests, use Golang’s native fuzz tests to increase the robustness of the go-authcrunch package. Native fuzz tests can be conveniently appended to the regular *_test.go test suite and do not need any overhead.

[polarathene]

While this issue might not immediately expose a vulnerability, it could cause disruptions in certain scenarios.

Could you please elaborate with a pragmatic example?

• When would someone use that function in a way that does not fail through panic at the start, only later to become a vulnerability or disruption?
• What would happen differently in that scenario if the panic was avoided instead?