CWE-59: Improper Link Resolution Before File Access ('Link Following')
Learn about CWE-59 (Improper Link Resolution Before File Access ('Link Following')), its security impact, exploitation methods, and prevention guidelines.
What is Improper Link Resolution Before File Access ('Link Following')?
• Overview: This vulnerability occurs when an application accesses a file using a filename, but fails to ensure that the filename does not point to a symbolic link or shortcut that resolves to an unintended file or resource.
• Exploitation Methods:
- Attackers can create symbolic links that point to sensitive or critical files, tricking the application into accessing or modifying them.
- Common attack patterns include creating symbolic links in directories where the application has write permissions and waiting for the application to access these links.
• Security Impact:
- Direct consequences include unauthorized access to sensitive files, data leaks, or unauthorized modification of files.
- Potential cascading effects include privilege escalation, where attackers gain higher-level access to the system.
- Business impact includes loss of data integrity, breaches of confidential information, and potential legal liabilities.
• Prevention Guidelines:
- Specific code-level fixes include validating file paths to ensure they do not resolve to symbolic links or unintended resources.
- Security best practices involve using system calls or APIs that can handle symbolic link resolution securely or performing checks on file attributes.
- Recommended tools and frameworks include using secure file access libraries and enabling operating system features that restrict symbolic link following.
Technical Details
Likelihood of Exploit:
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Soft links are a UNIX term that is synonymous with simple shortcuts on Windows-based platforms.
Vulnerable Code Example
import os
def read_file(file_path):
# Vulnerable to CWE-59: This function does not check if the file_path is a symbolic link
# An attacker can create a symbolic link pointing to a sensitive file, gaining unauthorized access
with open(file_path, 'r') as file:
content = file.read()
return content
# Usage
print(read_file('/tmp/user_input.txt'))
How to fix Improper Link Resolution Before File Access ('Link Following')?
To fix this vulnerability, ensure that the application does not follow symbolic links unless explicitly intended. This can be achieved by using the os.path.islink() function to detect symbolic links and the os.path.realpath() function to resolve the actual file path. Additionally, it's crucial to validate that the resolved path is within an expected directory structure to prevent unauthorized access to sensitive files.
Security principles to apply:
- Validate Inputs: Always validate and sanitize inputs, particularly file paths.
- Avoid Following Links: Use system calls to verify the nature of files and prevent following symbolic links unless explicitly intended.
Fixed Code Example
import os
def read_file(file_path):
# Check if the file is a symbolic link and reject it if it is
if os.path.islink(file_path):
raise ValueError("Symbolic links are not allowed")
# Resolve the real path of the file to ensure it's the intended target
real_path = os.path.realpath(file_path)
# Verify that the resolved path is within a specified directory
allowed_directory = '/allowed/directory/'
if not real_path.startswith(allowed_directory):
raise ValueError("Access to the specified file is not allowed")
with open(real_path, 'r') as file:
content = file.read()
return content
# Usage
print(read_file('/tmp/user_input.txt'))
In this fixed example, the code first checks if the file path is a symbolic link using os.path.islink(). If it is, an exception is raised to prevent access. The code then resolves the real path of the file using os.path.realpath() and checks if the resolved path is within an allowed directory. This ensures that only intended files are accessed, mitigating the risk of link following vulnerabilities.