-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathTaintedPath.qhelp
More file actions
84 lines (80 loc) · 3.36 KB
/
TaintedPath.qhelp
File metadata and controls
84 lines (80 loc) · 3.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Accessing files using paths constructed from user-controlled data can allow an attacker to access
unexpected resources. This can result in sensitive information being revealed or deleted, or an
attacker being able to influence behavior by modifying unexpected files.
</p>
<p>
Paths that are naively constructed from data controlled by a user may be absolute paths,
or may contain unexpected special characters such as "..". Such a path could point anywhere
on the file system.
</p>
</overview>
<recommendation>
<p>
Validate user input before using it to construct a file path.
</p>
<p>
Common validation methods include checking that the normalized path is relative and
does not contain any ".." components, or checking that the path is contained within a safe folder. The method you should use depends on how the path is used in the application, and whether the path should be a single path component.
</p>
<p>
If the path should be a single path component (such as a file name), you can check for the
existence of any path separators ("/" or "\"), or ".." sequences in the input, and reject
the input if any are found.
</p>
<p>
Note that removing "../" sequences is <i>not</i> sufficient, since the input could still
contain a path separator followed by "..". For example, the input ".../...//" would still
result in the string "../" if only "../" sequences are removed.
</p>
<p>
Finally, the simplest (but most restrictive) option is to use an allow list of safe patterns
and make sure that the user input matches one of these patterns.
</p>
</recommendation>
<example>
<p>
In the first example, a file name is read from an HTTP request and then used to access a file.
However, a malicious user could enter a file name which is an absolute path, such as
"/etc/passwd".
</p>
<p>
In the second example, it appears that the user is restricted to opening a file within the
<code>"user"</code> home directory. However, a malicious user could enter a file name containing
special characters. For example, the string <code>"../../etc/passwd"</code> will result in the code
reading the file located at "/home/user/../../etc/passwd", which is the system's
password file. This file would then be sent back to the user, giving them access to password
information.
</p>
<sample src="TaintedPath.go" />
<p>
If the input should only be a file name, you can check that it doesn't contain any
path separators or ".." sequences.
</p>
<sample src="TaintedPathGood.go" />
<p>
Note that this approach is only suitable if the input is expected to be a single file name.
</p>
<p>
If the input can be a path with multiple components, you can make it safe by verifying
that the path is within a specific directory that is considered safe.
You can do this by resolving the input with respect to that directory, and then checking
that the resulting path is still within it.
</p>
<sample src="TaintedPathGood2.go" />
<p>
Note that <code>/home/user</code> is just an example, you should replace it with the actual
safe directory in your application. Also, while in this example the path of the safe
directory is absolute, this may not always be the case, and you may need to resolve it
first before checking the input.
</p>
</example>
<references>
<li>OWASP: <a href="https://owasp.org/www-community/attacks/Path_Traversal">Path Traversal</a>.</li>
</references>
</qhelp>