Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What's the best way to defend against a path traversal attack?

I have a Java server implementation (TFTP if it matters to you) and I'd like to ensure that it's not susceptible to path traversal attacks allowing access to files and locations that shouldn't be available.

My best attempt at defending so far is to reject any entries that match File.isAbsolute() and then rely on File.getCanonicalPath() to resolve any ../ and ./ components out of the path. Finally I ensure that the resulting path is still within the required root directory of my server:

public String sanitize(final File dir, final String entry) throws IOException {     if (entry.length() == 0) {         throw new PathTraversalException(entry);     }      if (new File(entry).isAbsolute()) {         throw new PathTraversalException(entry);     }      final String canonicalDirPath = dir.getCanonicalPath() + File.separator;     final String canonicalEntryPath = new File(dir, entry).getCanonicalPath();      if (!canonicalEntryPath.startsWith(canonicalDirPath)) {         throw new PathTraversalException(entry);     }      return canonicalEntryPath.substring(canonicalDirPath.length()); } 

Are there security issues that this misses? Are there better / faster to achieve the same result reliably?

The code needs to work consistently across Windows and Linux.

like image 729
Rob Oxspring Avatar asked Mar 03 '10 23:03

Rob Oxspring


People also ask

How can you protect vs path traversal attacks?

The most effective way to prevent file path traversal vulnerabilities is to avoid passing user-supplied input to filesystem APIs altogether.

Which of these is an appropriate defense against a directory traversal attack?

The only way to effectively defend against directory traversal attacks is to carefully write the code of the website or web application and use user input sanitization libraries.

What is path traversal vulnerability?

A path traversal vulnerability allows an attacker to access files on your web server to which they should not have access. They do this by tricking either the web server or the web application running on it into returning files that exist outside of the web root folder.

What is the goal of a directory traversal attack?

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder.


2 Answers

The following may help. It compares the canonical and absolute paths, and if they differ, then it'll fail. Only tested on a mac/linux system (ie no windows).

This is for the case where you want to allow the user to supply a relative path, not an absolute path, and you don't allow any parent directory references.

public void failIfDirectoryTraversal(String relativePath) {     File file = new File(relativePath);      if (file.isAbsolute())     {         throw new RuntimeException("Directory traversal attempt - absolute path not allowed");     }      String pathUsingCanonical;     String pathUsingAbsolute;     try     {         pathUsingCanonical = file.getCanonicalPath();         pathUsingAbsolute = file.getAbsolutePath();     }     catch (IOException e)     {         throw new RuntimeException("Directory traversal attempt?", e);     }       // Require the absolute path and canonicalized path match.     // This is done to avoid directory traversal      // attacks, e.g. "1/../2/"      if (! pathUsingCanonical.equals(pathUsingAbsolute))     {         throw new RuntimeException("Directory traversal attempt?");     } } 
like image 183
Brad Parks Avatar answered Sep 24 '22 05:09

Brad Parks


If you're running this on a unix machine (I'm not sure if windows has something similar, but it might) you'll want to look at chroot. Even if you think you hit all the ways for someone to refer up a few directories, it's nice to have the operating system there enforcing the fact.

(chroot causes '/' to refer to some other directory, so "/" might be "/home/me/project" and "/../../.." is still "/home/me/project".)

EDIT:

There's a chroot system call as well as a chroot command-line tool. I don't know if Java has a native method, but nothing would prevent you from running your server with the command-line tool. This should, of course, be in addition to doing your best to prevent other path manipulations.

like image 26
Sniggerfardimungus Avatar answered Sep 23 '22 05:09

Sniggerfardimungus