Corgea LogoCorgea Security Hub

CWE-32: Path Traversal: '...' (Triple Dot)

Learn about CWE-32 (Path Traversal: '...' (Triple Dot)), its security impact, exploitation methods, and prevention guidelines.

What is Path Traversal: '...' (Triple Dot)?

• Overview:

  • CWE-32 refers to a path traversal vulnerability where the application does not properly neutralize '...' (triple dot) sequences in file paths, potentially allowing attackers to access files outside of a restricted directory.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by crafting file paths that include '...' sequences to navigate to unauthorized directories.
  • Common attack patterns include using '...' to bypass path traversal protections that only account for '..' sequences, especially on systems like Windows where '...' can be interpreted as multiple directory levels.

• Security Impact:

  • Direct consequences of successful exploitation include unauthorized access to sensitive files and directories.
  • Potential cascading effects involve further compromise of the system, such as gaining access to configuration files or database credentials.
  • Business impact may include data breaches, loss of customer trust, and potential legal or regulatory consequences.

• Prevention Guidelines:

  • Specific code-level fixes include validating and sanitizing all user input that is used in file paths, and rejecting or escaping dangerous sequences.
  • Security best practices involve implementing strict directory whitelists and using secure APIs for file access that inherently prevent path traversal.
  • Recommended tools and frameworks include static analysis tools to detect vulnerabilities and frameworks that provide built-in protection against path traversal.

Corgea can automatically detect and fix Path Traversal: '...' (Triple Dot) in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

Python Example

import os
from flask import Flask, request, send_from_directory

app = Flask(__name__)

BASE_DIR = '/var/www/uploads/'

@app.route('/download/<path:filename>', methods=['GET'])
def download_file(filename):
    # Vulnerable to Path Traversal using '...' sequences
    # This allows an attacker to access files outside of the intended directory
    return send_from_directory(BASE_DIR, filename)

if __name__ == '__main__':
    app.run()

Explanation

In the vulnerable code example, the send_from_directory function is directly using the filename parameter from the URL. If an attacker includes path traversal sequences such as .../.../ or ../../, they could potentially access sensitive files outside of the BASE_DIR directory. This is a classic path traversal vulnerability.

How to fix Path Traversal: '...' (Triple Dot)?

Path Traversal vulnerabilities occur when user input is used to build file paths without proper validation or sanitization, allowing attackers to access files outside of the intended directory. To fix this:

  1. Normalize the Path: Use functions that resolve the path to its absolute form, which helps in eliminating sequences like '...', '..', or '.'.
  2. Path Validation: Ensure the resolved path is within the allowed base directory.
  3. Reject Suspicious Patterns: Explicitly reject input that contains suspicious patterns, such as triple dots or multiple consecutive dots.
  4. Use Secure APIs: Prefer high-level APIs that have built-in security checks for handling file paths.

Fixed Code Example

import os
from flask import Flask, request, abort, send_from_directory

app = Flask(__name__)

BASE_DIR = '/var/www/uploads/'

@app.route('/download/<path:filename>', methods=['GET'])
def download_file(filename):
    # Normalize the file path to eliminate path traversal sequences
    safe_path = os.path.abspath(os.path.join(BASE_DIR, filename))
    
    # Ensure that the resolved path is within the base directory
    if not safe_path.startswith(BASE_DIR):
        # Reject the request if the path is outside the allowed directory
        abort(403)  # Forbidden
    
    # Safely serve the file from the directory
    return send_from_directory(BASE_DIR, os.path.basename(safe_path))

if __name__ == '__main__':
    app.run()

Explanation

In the fixed code example, the os.path.abspath function is used to resolve the full absolute path of the requested file. The code then checks if this resolved path starts with BASE_DIR, ensuring it is within the intended directory. If the path is outside the allowed directory, the request is blocked with a 403 Forbidden response, effectively preventing path traversal attacks. Additionally, os.path.basename is used to ensure that only the filename is passed to send_from_directory, adding an extra layer of security.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-32: Path Traversal: '...' (Triple Dot) and get remediation guidance

Start for free and no credit card needed.