Insecure File Management

Fixing Path Traversal

About Path Traversal

What is Path Traversal?

Path traversal, also known as directory traversal, is a type of security vulnerability that allows an attacker to access files or directories outside the web root directory of a web application. This vulnerability occurs when a web application does not properly validate user input or user-controlled data, such as file names or paths, and allows directory traversal sequences to be passed through the input.

Check out this video for a high-level explanation:

What is the impact of Path Traversal?

Path Traversal can lead to unauthorized access to sensitive files and data on a server or application. This can include files containing passwords, user data, or other confidential information.

An attacker who successfully exploits a Path Traversal vulnerability can gain access to sensitive data, modify or delete files, and potentially execute arbitrary code or perform other malicious actions.

This can lead to a variety of security incidents, such as data breaches, theft of intellectual property, or disruption of services.

The impact of a Path Traversal vulnerability can vary depending on the nature of the files and data that are accessed, as well as the specific context of the system or application being targeted.

In some cases, a Path Traversal attack may have little impact beyond revealing the existence of certain files, while in other cases, it can have severe consequences for the confidentiality, integrity, and availability of the system or application.

How to prevent Path Traversal?

To prevent Path Traversal vulnerabilities, it is important to properly validate and sanitize user input, and to use secure coding practices.

Here are some steps that can help prevent Path Traversal attacks:

• Validate user input: Always validate and sanitize user input, especially file names and paths. Ensure that user input only contains expected characters and that any special characters are properly escaped or removed.
• Use secure coding practices: Use secure coding practices, such as enforcing strict file permissions and preventing the execution of user-controlled input as code. Use libraries and frameworks that have built-in protection against Path Traversal attacks.
• Use an allow list: Use an allow list of permitted file names or directories and reject any input that does not match the list. This can help prevent unauthorized access to sensitive files and directories.
• Implement access controls: Implement access controls to restrict user access to files and directories based on roles and permissions.
• Use server-side checks: Use server-side checks to verify that any requested file or directory is within the expected range and does not contain any invalid or unexpected characters.
• Monitor and log: Monitor and log all file system access to detect any suspicious activity or attempts to access files or directories outside of the expected range.

By following these steps, you can help prevent Path Traversal vulnerabilities and reduce the risk of unauthorized access to sensitive files and data.

References

Taxonomies

• OWASP Top 10 - A01 Broken Access Control
• CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• CWE-23: Relative Path Traversal
• CWE-36: Absolute Path Traversal

Explanation & Prevention

• OWASP: Path Traversal
• OWASP: File Upload Cheat Sheet
• OWASP: Input Validation Cheat Sheet
• CAPEC-126: Path Traversal
• WASC-33: Path Traversal

Related CVEs

• CVE Details: CWE-22

Training

• Secure Code Warrior: Path Traversal

Rule-specific references:

• Rails Security Guide - Redirection and Files

Option A: Sanitize Input

1. Go through the issues that GuardRails identified in the PR/MR

2. A vulnerable example is shown below:

   def download
       language_code = params[:code]
       send_file(
       "#{Rails.root}/config/locales/#{language_code}.yml",
       filename: "#{language_code}.yml",
       type: "application/yml"
       )
   end

3. Replace it with the following pattern:

   def sanitize(filename)
       # Remove any character that aren't 0-9, A-Z, or a-z
       filename.gsub(/[^0-9A-Z]/i, '_')
   end
   
   def download
       language_code = params[:code]
       send_file(
       "#{Rails.root}/config/locales/#{language_code}.yml",
       filename: "#{sanitize(language_code)}.yml",
       type: "application/yml"
       )
   end

4. Test it

5. Ship it 🚢 and relax 🌴

Option B: Migrate to Active Storage

1. Nowadays, there is rarely a need to allow users to interact with local files
2. A better alternative is storing files in dedicated systems, such as AWS S3
3. Ruby on Rails 5.2 ships with Active Storage, which exposes cloud storage services
4. More information on Active Storage can be found here