CWE-27: Path Traversal: 'dir/../../filename'
Learn about CWE-27 (Path Traversal: 'dir/../../filename'), its security impact, exploitation methods, and prevention guidelines.
What is Path Traversal: 'dir/../../filename'?
• Overview: Path Traversal vulnerability occurs when an application constructs a file path using user input without properly sanitizing it, allowing attackers to access files and directories outside the intended directory by using sequences like '../'.
• Exploitation Methods:
- Attackers can exploit this vulnerability by manipulating input to include sequences like '../' to traverse directories.
- Common attack patterns include injecting multiple '../' sequences to bypass simple sanitization checks or inserting these sequences in unexpected parts of the path.
• Security Impact:
- Direct consequences of successful exploitation include unauthorized access to sensitive files and directories, potentially exposing confidential data.
- Potential cascading effects involve further exploitation of the system, such as privilege escalation or execution of unauthorized commands.
- Business impact can be severe, leading to data breaches, loss of customer trust, legal penalties, and financial loss.
• Prevention Guidelines:
- Specific code-level fixes include normalizing paths to remove any '../' sequences and validating file paths against a whitelist of allowed directories.
- Security best practices involve using built-in functions or libraries for path manipulation that automatically handle path traversal threats.
- Recommended tools and frameworks include security libraries that provide input validation and sanitation functions, and static analysis tools to detect path traversal vulnerabilities during development.
Corgea can automatically detect and fix Path Traversal: 'dir/../../filename' in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
import os
def read_file(user_input):
# Vulnerable code: The user_input is directly used to create the file path.
# An attacker can use path traversal sequences to access unauthorized files.
file_path = os.path.join('/var/www/data', user_input)
with open(file_path, 'r') as file:
return file.read()
# Example usage:
# user_input = "../../etc/passwd" could lead to unauthorized file access
How to fix Path Traversal: 'dir/../../filename'?
To fix the path traversal vulnerability, we need to ensure that the file paths are properly sanitized and restricted to a specific directory. This can be achieved by:
- Normalizing the Path: Use
os.path.normpath()to collapse redundant separators and up-level references (e.g.,A/B/../CbecomesA/C). - Restricting Access: Ensure the resulting path resides within a specific base directory by checking it starts with the intended base directory path.
- Whitelisting: Optionally, use a whitelist of allowed file names if the files are known and limited.
Fixed Code Example
import os
def read_file(user_input):
# Fixed code: Normalize the user input path.
base_dir = '/var/www/data'
safe_path = os.path.normpath(os.path.join(base_dir, user_input))
# Ensure the file path is within the base directory
if not os.path.commonpath([base_dir, safe_path]) == base_dir:
raise ValueError("Attempted Path Traversal Detected!")
with open(safe_path, 'r') as file:
return file.read()
# Example usage:
# This will raise an error if `user_input` attempts to traverse outside the base directory.
In this fixed version, we normalize the user input path and ensure it does not escape the intended directory by using os.path.commonpath, effectively mitigating the path traversal vulnerability. This approach is more reliable as it accurately checks if the resolved path is still within the base directory.