On Windows:

filepath.Clean("a/../b:/../../c") == "c" // expect "../c"

This is due to a bug in CL 468123, which ensures Clean will not convert a relative path into one starting with a drive reference. (Clean("a/../b:") == "./b:", not "b:".)

An effect of this is that filepath.IsLocal(p) and filepath.IsLocal(filepath.Clean(p)) may be different, with Clean converting a non-local relative path into a local one as in the above example. I don't think this is a vulnerability as such, but it's worth noting.

Thanks to Juho Nurminen of Mattermost for reporting this issue.