CWE-30: Path Traversal: '\dir\..\filename'
Learn about CWE-30 (Path Traversal: '\dir\..\filename'), its security impact, exploitation methods, and prevention guidelines.
What is Path Traversal: '\dir..\filename'?
• Overview: CWE-30, a path traversal vulnerability, occurs when software constructs a file path using untrusted input without properly sanitizing it, allowing attackers to access files outside the intended directory by exploiting sequences like '\dir..\filename'.
• Exploitation Methods:
- Attackers can input crafted strings containing '..' to bypass directory restrictions and access unauthorized files.
- Common attack patterns include inserting '..' sequences to exploit path validation checks that only look for directory traversal at the input's start.
• Security Impact:
- Direct consequences include unauthorized access to sensitive files or directories.
- Potential cascading effects include privilege escalation, data leakage, and system compromise.
- Business impact involves data breaches, loss of customer trust, and potential legal liabilities.
• Prevention Guidelines:
- Specific code-level fixes include validating and sanitizing all file path inputs and canonicalizing paths before use.
- Security best practices involve implementing strict input validation and using whitelisting for allowed paths.
- Recommended tools and frameworks include static code analysis tools to detect path traversal vulnerabilities and libraries that securely handle file paths.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
import os
def read_file(file_name):
base_directory = "/var/www/files/"
# Vulnerable to path traversal attacks as it directly uses user input
file_path = os.path.join(base_directory, file_name)
with open(file_path, "r") as file:
return file.read()
Explanation:
- Direct User Input Usage: The code constructs a file path directly using user input (
file_name) without any validation, making it vulnerable to path traversal attacks. - Potential Exploit: An attacker could pass input like
../etc/passwd, allowing them to read files outside the intended directory, leading to unauthorized file access.
How to fix Path Traversal: '\dir..\filename'?
To prevent path traversal vulnerabilities, always validate and sanitize user inputs. Approaches include:
- Sanitizing Input: Remove or neutralize any suspicious path traversal sequences from user input.
- Restricting Access: Use secure libraries or functions to ensure the path remains within a designated directory.
- Canonicalization: Resolve the path to its absolute form and ensure it starts with the expected base directory.
Fixed Code Example
import os
def read_file(file_name):
base_directory = "/var/www/files/"
# Resolve the absolute path and ensure it remains within the base directory
file_path = os.path.abspath(os.path.join(base_directory, file_name))
# Check if the resolved path starts with the base directory to prevent traversal
if not file_path.startswith(os.path.abspath(base_directory) + os.sep):
raise ValueError("Access Denied: Attempt to access unauthorized file path.")
# Securely open the file if validation passes
with open(file_path, "r") as file:
return file.read()
Explanation:
- Absolute Path Resolution: The use of
os.path.abspath()provides a normalized absolute path of the file, which is crucial for verification. - Path Verification: The check using
startswith()ensures that the resolved path is within the allowed base directory. The addition ofos.sepensures that partial directory names do not bypass the check. - Exception Handling: Raises a
ValueErrorif the path validation fails, effectively preventing unauthorized access attempts and providing feedback on access denial.