2022-07-26 15:09:13 +02:00
|
|
|
=== How to fix it in Java SE
|
|
|
|
|
|
2022-07-27 14:34:13 +02:00
|
|
|
:canonicalization_function: java.io.File.getCanonicalPath
|
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
2022-07-26 15:09:13 +02:00
|
|
|
|
2022-09-15 10:28:08 +02:00
|
|
|
==== Non-compliant code example
|
|
|
|
|
|
|
|
|
|
[source,java,diff-id=1,diff-type=noncompliant]
|
2022-07-26 15:09:13 +02:00
|
|
|
----
|
2022-08-05 17:10:47 +02:00
|
|
|
@Controller
|
|
|
|
|
public class ExampleController
|
2022-07-26 15:09:13 +02:00
|
|
|
{
|
|
|
|
|
static private String targetDirectory = "/path/to/target/directory/";
|
|
|
|
|
|
2022-08-05 17:10:47 +02:00
|
|
|
@GetMapping(value = "/delete")
|
|
|
|
|
public void delete(@RequestParam("filename") String filename) throws IOException {
|
2022-07-26 15:09:13 +02:00
|
|
|
|
|
|
|
|
File file = new File(targetDirectory + filename);
|
2022-09-15 10:28:08 +02:00
|
|
|
file.delete();
|
2022-07-26 15:09:13 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
2022-09-15 10:28:08 +02:00
|
|
|
|
|
|
|
|
==== Compliant solution
|
|
|
|
|
|
|
|
|
|
[source,java,diff-id=1,diff-type=compliant]
|
2022-07-26 15:09:13 +02:00
|
|
|
----
|
2022-08-05 17:10:47 +02:00
|
|
|
@Controller
|
|
|
|
|
public class ExampleController
|
2022-07-26 15:09:13 +02:00
|
|
|
{
|
|
|
|
|
static private String targetDirectory = "/path/to/target/directory/";
|
|
|
|
|
|
2022-08-05 17:10:47 +02:00
|
|
|
@GetMapping(value = "/delete")
|
|
|
|
|
public void delete(@RequestParam("filename") String filename) throws IOException {
|
2022-07-26 15:09:13 +02:00
|
|
|
|
|
|
|
|
File file = new File(targetDirectory + filename);
|
|
|
|
|
String canonicalDestinationPath = file.getCanonicalPath();
|
|
|
|
|
|
|
|
|
|
if (!canonicalDestinationPath.startsWith(targetDirectory)) {
|
|
|
|
|
throw new IOException("Entry is outside of the target directory");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
file.delete();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
=== How does this work?
|
|
|
|
|
|
2022-07-27 14:34:13 +02:00
|
|
|
include::../../common/fix/how-does-this-work.adoc[]
|
2022-09-14 19:49:53 +02:00
|
|
|
|
|
|
|
|
=== Pitfalls
|
|
|
|
|
|
|
|
|
|
include::../../common/pitfalls/partial-path-traversal.adoc[]
|
|
|
|
|
|
|
|
|
|
For example, the following code is vulnerable to partial path injection. Note
|
|
|
|
|
that the string `targetDirectory` does not end with a path separator:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[source, java]
|
|
|
|
|
----
|
|
|
|
|
static private String targetDirectory = "/Users/John";
|
|
|
|
|
|
|
|
|
|
@GetMapping(value = "/endpoint")
|
|
|
|
|
public void endpoint(@RequestParam("folder") fileName) throws IOException {
|
|
|
|
|
|
|
|
|
|
String canonicalizedFileName = fileName.getCanonicalPath();
|
|
|
|
|
|
|
|
|
|
if (!canonicalizedFileName .startsWith(targetDirectory)) {
|
|
|
|
|
throw new IOException("Entry is outside of the target directory");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
This check can be bypassed because `"/Users/Johnny".startsWith("/Users/John")`
|
|
|
|
|
returns `true`. Thus, for validation, `"/Users/John"` should actually be
|
|
|
|
|
`"/Users/John/"`.
|
|
|
|
|
|
|
|
|
|
**Warning**: Some functions, such as `.getCanonicalPath`, remove the
|
|
|
|
|
terminating path separator in their return value. +
|
|
|
|
|
The validation code should be tested to ensure that it cannot be impacted by this
|
|
|
|
|
issue.
|
|
|
|
|
|
|
|
|
|
https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3[Here is a real-life example of this vulnerability.]
|
