Corgea LogoCorgea Security Hub

CWE-35: Path Traversal: '.../...//'

Learn about CWE-35 (Path Traversal: '.../...//'), its security impact, exploitation methods, and prevention guidelines.

What is Path Traversal: '.../...//'?

• Overview: Path Traversal: '.../...//' is a vulnerability where external input is used to create a file path, but improper neutralization of '.../...//' sequences allows access to directories outside a restricted folder.

• Exploitation Methods:

  • Attackers can insert '.../...//' sequences to navigate up the directory structure.
  • Commonly used to bypass filters that incorrectly handle or sanitize path inputs by collapsing '.../...//' into '../' sequences.

• Security Impact:

  • Direct consequences include unauthorized access to sensitive files and directories.
  • Potential cascading effects include exposure of confidential information, system configuration details, and application source code.
  • Business impact could involve data breaches, reputational damage, and potential legal liabilities.

• Prevention Guidelines:

  • Specific code-level fixes include properly sanitizing and validating all path inputs and avoiding direct inclusion of user input in file paths.
  • Security best practices involve using built-in path resolution functions that enforce directory constraints and employing whitelisting for permissible file paths.
  • Recommended tools and frameworks include static code analysis tools to identify path traversal vulnerabilities and web application firewalls (WAFs) to block malicious input patterns.

Corgea can automatically detect and fix Path Traversal: '.../...//' in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

Certainly! Let's improve the code examples and explanations for CWE-35 (Path Traversal: '.../...//').

Python Example

import os

def read_file(filename):
    base_directory = "/var/www/data"
    file_path = os.path.join(base_directory, filename)
    if os.path.exists(file_path):
        with open(file_path, 'r') as file:
            return file.read()
    else:
        return "File does not exist."

# Potentially dangerous input
user_input = ".../...//etc/passwd"
print(read_file(user_input))

Explanation

  • Vulnerability: The code directly concatenates user input with a base directory path without sufficient validation. This allows attackers to manipulate the input to access files outside the intended directory using path traversal sequences like .../...//.
  • Impact: An attacker could exploit this to read sensitive system files, such as /etc/passwd, potentially leading to information disclosure or further system compromise.

How to fix Path Traversal: '.../...//'?

Detailed Explanation of Fix Approach:

  1. Normalize Input Path: Use os.path.normpath() to clean up the input path by removing redundant separators and resolving up-level references (..).
  2. Validate Against Base Directory: Ensure the resolved path starts with the expected base directory by comparing the absolute paths.
  3. Use Secure Path Handling: Use os.path.realpath() to derive the absolute path and ensure it doesn't escape the intended directory scope.

Fixed Code Example

import os

def read_file(filename):
    base_directory = "/var/www/data"
    # Normalize and resolve the absolute path to prevent traversal
    normalized_path = os.path.normpath(os.path.join(base_directory, filename))
    absolute_path = os.path.realpath(normalized_path)
    
    # Ensure the final path is within the base directory
    if not absolute_path.startswith(os.path.realpath(base_directory)):
        return "Access denied."
    
    if os.path.exists(absolute_path):
        with open(absolute_path, 'r') as file:
            return file.read()
    else:
        return "File does not exist."

# Malicious input is now properly checked and rejected
user_input = ".../...//etc/passwd"
print(read_file(user_input))

Security Controls Implemented:

  • Line {8}: The input path is first normalized using os.path.normpath() to eliminate redundant separators and resolve .. references.
  • Lines {9-10}: The absolute path is calculated using os.path.realpath(), ensuring it is confined to the base_directory.
  • Line {11}: The path is validated to confirm it starts with the resolved base directory path, preventing directory traversal attacks.
  • Lines {13-14}: The file is accessed only if the path validation passes, ensuring access is restricted to the intended directory.

These improvements ensure the code is secure against path traversal attacks by validating and restricting file access to the specified base directory.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-35: Path Traversal: '.../...//' and get remediation guidance

Start for free and no credit card needed.