Skip to content

ASA 9735

ASA 9735 #266

GitHub Actions / AppScan CodeSweep #1 failed Jan 16, 2025 in 0s

Potential path traversal vulnerability when using File class

Identified by HCL AppScan CodeSweep
Vulnerability: PathTraversal
Severity: High

Details

PathTraversal

Cause

The application receives the name of a directory or file from the user. If this is used to create the file path directly, the path can be manipulated to point to directories and files which should not be allowed access or which may contain malicious data or code.

In particular, user input is not checked for the '..' (dot dot) pattern or directory separators (usually slash), and the file permissions are not restricted.

Risk

It is possible to modify, delete, or read the contents of any file (for example, databases, user information or configuration files) on the web server that the application can access.

An attacker may try to corrupt or remove critical files used by the application or operating system to cause a DoS attack, or even add data to a file.

The attack can also be used to delete log files containing information that could be used to track down an attacker.

Exploit example

The following example shows a contents of an internal file that returns in the response.

The following examples show how the application deals with the resources in use.

Request

/get-files.jsp?file=report.pdf HTTP/1.1

Response

HTTP/1.1 200 OK
...
...
%PDF......
.....
%%EOF

An attacker might trick the application to serve files outside of the desired directory, by using path traversal attacks, for example - ../../../../

Request

GET /get-files?file=../../../../etc/passwd HTTP/1.1

Response

HTTP/1.1 200 OK
.....
.....
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
smithj:x:561:561:Joe Smith:/home/smithj:/bin/bash

Fix recommendation

To prevent this type of attack you should first sanitize all user supplied data that will be used to build the path. The best way to do this is to use a allowlist. A allowlist is an accepted list of values that the application will accept. For example, the allowlist for user supplied data to be inserted into a path string would be only alpha-numeric characters with possibly the underscore (_) and dash (-) characters allowed.

In addition to using the allowlisting technique, the server should disallow access to all areas of the file system except those used specifically for the web application. This will prevent users from attempting to break out of the web application directory and access files in other areas of the file system.

Enforce that only certain extensions can be opened

Remove special characters (Meta-characters) from the user's input, e.g. the pipe (|) character

Canonicalize path names before validating them

External references

OWASP Article - Path Traversal

Copyright © 2021, 2023 HCL Technologies Limited | Disclaimer

Annotations

Check warning on line 102 in src/main/java/com/hcl/appscan/sdk/results/CloudCombinedResultsProvider.java

See this annotation in the file changed.

@github-actions github-actions / AppScan CodeSweep #1

Potential path traversal vulnerability when using File class

Vulnerability: PathTraversal	[Severity: High]
Raw output
{"file":"CloudCombinedResultsProvider.java","filePath":"src/main/java/com/hcl/appscan/sdk/results/CloudCombinedResultsProvider.java","lineNumber":102,"columnNumber":0,"language":"Java","vulnName":"Potential path traversal vulnerability when using File class","vulnType":"PathTraversal","ruleName":"com.hcl.appscan.scanner.java.rules.PathTraversalFileApiJava","context":"new File(directory,ServiceUtil.scanTypeShortForm(m_resultsProvider2.getType())","severity":0,"codeFixes":[],"hashValues":{"0":1682034110,"1":1682034110,"2":685675,"3":685675,"4":1396415660,"5":1396415660}}

Check warning on line 101 in src/main/java/com/hcl/appscan/sdk/results/CloudCombinedResultsProvider.java

See this annotation in the file changed.

@github-actions github-actions / AppScan CodeSweep #1

Potential path traversal vulnerability when using File class

Vulnerability: PathTraversal	[Severity: High]
Raw output
{"file":"CloudCombinedResultsProvider.java","filePath":"src/main/java/com/hcl/appscan/sdk/results/CloudCombinedResultsProvider.java","lineNumber":101,"columnNumber":0,"language":"Java","vulnName":"Potential path traversal vulnerability when using File class","vulnType":"PathTraversal","ruleName":"com.hcl.appscan.scanner.java.rules.PathTraversalFileApiJava","context":"new File(directory,ServiceUtil.scanTypeShortForm(m_resultsProvider1.getType())","severity":0,"codeFixes":[],"hashValues":{"0":903275829,"1":903275829,"2":-630885562,"3":-630885562,"4":-568558537,"5":-568558537}}