Recommendation¶

Validate user input before using it to construct a file path, either using an off-the-shelf library likeActiveStorage::Filename#sanitized in Rails, or by performing custom validation.

Ideally, follow these rules:

• Do not allow more than a single “.” character.

• Do not allow directory separators such as “/” or “\” (depending on the file system).

• Do not rely on simply replacing problematic sequences such as “../”. For example, after applying this filter to “…/…//”, the resulting string would still be “../”.

• Use a whitelist of known good patterns.

Example¶

In the first example, a file name is read from an HTTP request and then used to access a file. However, a malicious user could enter a file name which is an absolute path, such as"/etc/passwd".

In the second example, it appears that the user is restricted to opening a file within the"user" home directory. However, a malicious user could enter a file name containing special characters. For example, the string"../../etc/passwd" will result in the code reading the file located at"/home/user/../../etc/passwd", which is the system’s password file. This file would then be sent back to the user, giving them access to all the system’s passwords.

classFilesController<ActionController::Basedeffirst_example# BAD: This could read any file on the file system@content=File.readparams[:path]enddefsecond_example# BAD: This could still read any file on the file system@content=File.read"/home/user/#{params[:path]}"endend

References¶

• OWASP:Path Traversal.

• Rails:ActiveStorage::Filename#sanitized.

• Common Weakness Enumeration:CWE-22.

• Common Weakness Enumeration:CWE-23.

• Common Weakness Enumeration:CWE-36.

• Common Weakness Enumeration:CWE-73.

• Common Weakness Enumeration:CWE-99.