Corgea LogoCorgea Security Hub

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Learn about CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')), its security impact, exploitation methods, and prevention guidelines.

What is Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')?

• Overview: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') is a vulnerability that occurs when software fails to restrict file paths, allowing input to access files outside a designated directory using special elements like "..".

• Exploitation Methods:

  • Attackers can exploit this vulnerability by manipulating input to include directory traversal sequences such as "../" to access unauthorized directories and files.
  • Common attack patterns include crafting URLs or input fields to traverse directories and access sensitive files like configuration files, passwords, or system binaries.

• Security Impact:

  • Direct consequences of successful exploitation include unauthorized access to sensitive files, leakage of confidential data, and potential execution of unauthorized commands.
  • Potential cascading effects include privilege escalation, further system compromise, and lateral movement within a network.
  • Business impact can involve data breaches, loss of customer trust, legal repercussions, and financial losses.

• Prevention Guidelines:

  • Specific code-level fixes include validating and sanitizing all user input used in file paths, removing or neutralizing any directory traversal characters.
  • Security best practices involve using APIs or libraries that automatically handle file paths safely, such as realpath() in C or Path.resolve() in Node.js.
  • Recommended tools and frameworks include static code analysis tools to detect path traversal vulnerabilities during the development process and web application firewalls (WAFs) to help block attempted exploitation in deployed applications.
Corgea can automatically detect and fix Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: High

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

const fs = require('fs');
const path = require('path');

function getFileContent(filename) {
    const baseDirectory = '/var/www/uploads';
    const filePath = path.join(baseDirectory, filename);

    // Vulnerable to path traversal attacks
    // Example: filename = "../../etc/passwd" could access sensitive files outside the intended directory
    return fs.readFileSync(filePath, 'utf8');  // Potential security risk here
}

Explanation:

The getFileContent function constructs a file path using user input without proper validation, making it susceptible to path traversal attacks. By using sequences like ../../, an attacker can access files outside the intended directory.

How to fix Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')?

To address this vulnerability:

  1. Resolve Absolute Path: Use path.resolve to compute the absolute path, which normalizes the path and eliminates .. sequences.
  2. Ensure Path Validity: Confirm that the resolved path starts with the base directory to ensure the file is within the allowed directory.
  3. Restrict and Validate Input: Sanitize the input to remove or reject characters that may facilitate path traversal.

Fixed Code Example

const fs = require('fs');
const path = require('path');

function getFileContent(filename) {
    const baseDirectory = '/var/www/uploads';
    // Resolve the absolute path to eliminate path traversal possibilities
    const filePath = path.resolve(baseDirectory, filename);

    // Ensure that the file path starts with the base directory
    if (!filePath.startsWith(baseDirectory + path.sep)) {
        throw new Error('Invalid file path detected.');
    }

    return fs.readFileSync(filePath, 'utf8');  // Secure file access after validation
}

Explanation:

  • Line 10: path.resolve is used to calculate the absolute path, which inherently normalizes the path and prevents path traversal by resolving .. sequences.
  • Line 12: The path is checked to ensure it starts with the baseDirectory followed by a path separator. This prevents access to directories outside the base directory.
  • Line 16: The file content is accessed securely, with the assurance that the path has been validated properly.

These changes ensure that the code is secure against path traversal attacks, providing a robust solution to this common vulnerability.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') and get remediation guidance

Start for free and no credit card needed.