CWE-50: Path Equivalence: '//multiple/leading/slash'
Learn about CWE-50 (Path Equivalence: '//multiple/leading/slash'), its security impact, exploitation methods, and prevention guidelines.
What is Path Equivalence: '//multiple/leading/slash'?
• Overview: CWE-50 refers to a vulnerability where a software system improperly handles paths with multiple leading slashes, such as '//multiple/leading/slash'. This can result in ambiguous path resolution, potentially allowing attackers to navigate the file system to unauthorized locations or access arbitrary files.
• Exploitation Methods:
- Attackers can exploit this vulnerability by crafting paths with multiple leading slashes to bypass security controls or access restricted areas.
- Common attack patterns include path traversal attacks, where attackers manipulate file path inputs to access files and directories outside of the intended scope.
• Security Impact:
- Direct consequences include unauthorized file access, data leakage, and potential data modification or deletion.
- Potential cascading effects may involve privilege escalation if sensitive system files are accessed.
- Business impact includes data breaches, loss of customer trust, and potential legal liabilities.
• Prevention Guidelines:
- Specific code-level fixes include normalizing file paths by removing redundant slashes and validating input paths to ensure they conform to expected formats.
- Security best practices involve implementing strict input validation and output encoding, and adhering to the principle of least privilege.
- Recommended tools and frameworks include using secure libraries or APIs that provide built-in path normalization and validation, and conducting regular security audits and code reviews.
Corgea can automatically detect and fix Path Equivalence: '//multiple/leading/slash' in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
Python Example
import os
from flask import Flask, request, send_file
app = Flask(__name__)
@app.route('/download', methods=['GET'])
def download_file():
# Vulnerable to path traversal due to accepting unvalidated path input
file_path = request.args.get('file') # User input directly used
# Multiple leading slashes are not sanitized, leading to potential path traversal
full_path = os.path.join('/var/www/files', file_path)
return send_file(full_path)
Explanation:
- Direct Path Concatenation: The code concatenates user input directly with the base directory without validation, which is risky.
- Path Traversal Risk: An attacker could exploit this by providing a path with multiple leading slashes like
////etc/passwd, potentially accessing sensitive files outside the intended directory.
How to fix Path Equivalence: '//multiple/leading/slash'?
To fix this vulnerability, sanitize the file input to ensure it doesn't contain any path traversal sequences (e.g., ..) or multiple leading slashes. Use os.path.normpath() to normalize the path and confirm that the final path is within the intended directory.
Fixed Code Example
import os
from flask import Flask, request, send_file, abort
app = Flask(__name__)
@app.route('/download', methods=['GET'])
def download_file():
file_path = request.args.get('file')
# Normalize the path to remove redundant slashes and resolve any '..' sequences
safe_path = os.path.normpath(file_path)
# Construct the full safe path
full_path = os.path.join('/var/www/files', safe_path)
# Ensure the resolved path is within the allowed directory
if not full_path.startswith(os.path.abspath('/var/www/files')):
abort(403) # Forbidden access if path is outside the intended directory
return send_file(full_path)
Explanation:
- Normalization:
os.path.normpath()is used to clean the file path by removing redundant slashes and resolving any directory traversal sequences like... - Path Validation: By checking if the constructed path starts with the absolute path of the base directory, we ensure the path remains within the allowed boundaries.
- Security Control: If the path is not valid, the request is aborted with a 403 Forbidden response, adding an extra layer of security to prevent exploitation.