Corgea LogoCorgea Security Hub

CWE-61: UNIX Symbolic Link (Symlink) Following

Learn about CWE-61 (UNIX Symbolic Link (Symlink) Following), its security impact, exploitation methods, and prevention guidelines.

• Overview: A UNIX Symbolic Link (Symlink) Following vulnerability occurs when a software product opens files or directories without properly handling symbolic links, which can point to unauthorized files or directories outside the intended control area. This can allow attackers to manipulate file paths and access restricted files.

• Exploitation Methods:

  • Attackers can exploit this by creating symlinks that point to sensitive files or directories.
  • Common techniques include symlink race conditions, where attackers create or change symlinks between the time a file is checked and the time it is accessed.

• Security Impact:

  • Direct consequences include unauthorized read, write, or corruption of files.
  • Potential cascading effects include privilege escalation if an attacker can modify critical system files.
  • Business impact may include data breaches, loss of sensitive information, or system downtime.

• Prevention Guidelines:

  • Use the "O_NOFOLLOW" flag when opening files to prevent following symlinks.
  • Implement checks to validate file paths against symbolic links before accessing them.
  • Recommended tools and frameworks include static analysis tools that can detect insecure file handling and symlink vulnerabilities.
Corgea can automatically detect and fix UNIX Symbolic Link (Symlink) Following in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: High

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

import os

def read_file(file_path):
    # Directly open the file without checking if it's a symlink
    with open(file_path, 'r') as f:
        data = f.read()
    return data

In the above code, the read_file function opens a file for reading without checking if the file is a symbolic link. An attacker can exploit this by creating a symlink that points to a sensitive file outside the intended directory, potentially allowing unauthorized access to the file's contents.

To fix the symlink following vulnerability, you should validate that the file being accessed is not a symbolic link, or resolve the symlink and ensure it points within an allowed directory. One way to achieve this is by using os.path.realpath() to resolve the symlink and then verify that the resolved path is within an expected directory. Additionally, you can use os.lstat() to check if the path is a symlink before opening it.

Fixed Code Example

import os

def read_file(file_path):
    # Resolve the absolute path
    real_path = os.path.realpath(file_path)

    # Define the base directory
    base_dir = os.path.realpath('/safe/directory/')

    # Check if the resolved path is within the base directory
    if not real_path.startswith(base_dir):
        raise ValueError("Access to this file is not allowed.")

    # Ensure the path is not a symlink
    if os.path.islink(file_path):
        raise ValueError("Symbolic links are not allowed.")

    # Open the file only if it has passed the checks
    with open(real_path, 'r') as f:
        data = f.read()
    return data

In the fixed code, we first resolve the absolute path of the file using os.path.realpath(). We then verify that this resolved path starts with the base directory path (/safe/directory/) to ensure it's within the allowed directory. Additionally, we check if the file is a symbolic link using os.path.islink(). If any of these checks fail, we raise a ValueError, preventing unauthorized access. This approach ensures that even if an attacker tries to use a symbolic link to access sensitive files, the code will block such attempts.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-61: UNIX Symbolic Link (Symlink) Following and get remediation guidance

Start for free and no credit card needed.