ASA 9735 #266
Potential path traversal vulnerability when using File class
Identified by HCL AppScan CodeSweep
Vulnerability: PathTraversal
Severity: High
Details
PathTraversal
Cause
The application receives the name of a directory or file from the user. If this is used to create the file path directly, the path can be manipulated to point to directories and files which should not be allowed access or which may contain malicious data or code.
In particular, user input is not checked for the '..' (dot dot) pattern or directory separators (usually slash), and the file permissions are not restricted.
Risk
It is possible to modify, delete, or read the contents of any file (for example, databases, user information or configuration files) on the web server that the application can access.
An attacker may try to corrupt or remove critical files used by the application or operating system to cause a DoS attack, or even add data to a file.
The attack can also be used to delete log files containing information that could be used to track down an attacker.
Exploit example
The following example shows a contents of an internal file that returns in the response.
The following examples show how the application deals with the resources in use.
Request
/get-files.jsp?file=report.pdf HTTP/1.1
Response
HTTP/1.1 200 OK
...
...
%PDF......
.....
%%EOF
An attacker might trick the application to serve files outside of the desired directory, by using path traversal attacks, for example - ../../../../
Request
GET /get-files?file=../../../../etc/passwd HTTP/1.1
Response
HTTP/1.1 200 OK
.....
.....
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
smithj:x:561:561:Joe Smith:/home/smithj:/bin/bash
Fix recommendation
To prevent this type of attack you should first sanitize all user supplied data that will be used to build the path. The best way to do this is to use a allowlist. A allowlist is an accepted list of values that the application will accept. For example, the allowlist for user supplied data to be inserted into a path string would be only alpha-numeric characters with possibly the underscore (_) and dash (-) characters allowed.
In addition to using the allowlisting technique, the server should disallow access to all areas of the file system except those used specifically for the web application. This will prevent users from attempting to break out of the web application directory and access files in other areas of the file system.
Enforce that only certain extensions can be opened
Remove special characters (Meta-characters) from the user's input, e.g. the pipe (|) character
Canonicalize path names before validating them
External references
OWASP Article - Path Traversal
Copyright © 2021, 2023 HCL Technologies Limited | Disclaimer
Annotations
github-actions / AppScan CodeSweep #1
Potential path traversal vulnerability when using File class
Vulnerability: PathTraversal [Severity: High]
Raw output
{"file":"CloudCombinedResultsProvider.java","filePath":"src/main/java/com/hcl/appscan/sdk/results/CloudCombinedResultsProvider.java","lineNumber":102,"columnNumber":0,"language":"Java","vulnName":"Potential path traversal vulnerability when using File class","vulnType":"PathTraversal","ruleName":"com.hcl.appscan.scanner.java.rules.PathTraversalFileApiJava","context":"new File(directory,ServiceUtil.scanTypeShortForm(m_resultsProvider2.getType())","severity":0,"codeFixes":[],"hashValues":{"0":1682034110,"1":1682034110,"2":685675,"3":685675,"4":1396415660,"5":1396415660}}
github-actions / AppScan CodeSweep #1
Potential path traversal vulnerability when using File class
Vulnerability: PathTraversal [Severity: High]
Raw output
{"file":"CloudCombinedResultsProvider.java","filePath":"src/main/java/com/hcl/appscan/sdk/results/CloudCombinedResultsProvider.java","lineNumber":101,"columnNumber":0,"language":"Java","vulnName":"Potential path traversal vulnerability when using File class","vulnType":"PathTraversal","ruleName":"com.hcl.appscan.scanner.java.rules.PathTraversalFileApiJava","context":"new File(directory,ServiceUtil.scanTypeShortForm(m_resultsProvider1.getType())","severity":0,"codeFixes":[],"hashValues":{"0":903275829,"1":903275829,"2":-630885562,"3":-630885562,"4":-568558537,"5":-568558537}}