SV.TAINTED.PATH_TRAVERSAL
Unvalidated input in path construction
If a program uses external input to construct a pathname without special character neutralization, it can be left open to a path traversal attack. This checker reports defects when external strings that are used as parts of file paths are not checked properly.
Vulnerability and risk
A path traversal attack aims to get access to arbitrary files and directories including critical system or application data. A path traversal attack can also be used to provide malicious configuration for a program. It has been ranked as #13 in the Top 25 Most Dangerous Programming Errors.
Mitigation and prevention
To avoid this issue, it's best to add validation code before raw input is used as a pathname. The validation code must contain checks for the following cases:
- dot-dot-slash ( ../ ): Using this sequence and its variations, an attacker could navigate your file system and obtain access to any file. Note that ( ../ ) can be presented in various encodings, for example, " ../../../etc/shadow " .
- absolute paths: Using absolute paths in a situation when relative paths are expected could also provide access to arbitrary files in your system, for example, " /etc/shadow ".
- null symbol : Using the null symbol may allow an attacker to truncate a generated filename to widen the scope of attack in a situation when an application restricts possible file extensions by checking or appending specific extension, for example, " application.cfg%00.pdf ".
Vulnerable code example
main.c
#include <stdio.h>
int main(int argc, char **argv) {
char *name = argv[1];
FILE *user_config = fopen(name, "r");
if (user_config == NULL) {
return 1;
}
fclose(user_config);
return 0;
}
Klocwork reports a defect in this example because the "name" string is received through the "argv" argument and is used as a pathname without being validated.
Fixed code example
check.h
char* neutralize(char *);
main.c
#include <stdio.h>
#include "check.h"
int main(int argc, char **argv) {
char *name = argv[1];
name = neutralize(name);
FILE *user_config = fopen(name, "r");
if (user_config == NULL) {
return 1;
}
fclose(user_config);
return 0;
}
check.kb
neutralize - TSCheckPT 1 : $1 : 1
Klocwork will not report a defect in this example because the external input is passed to the "neutralize" function and is validated, making the path safe.
Related checkers
External guidance
- CWE-20: Improper Input Validation
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
- CWE-426: Untrusted Search Path
- CWE-896: None
- OWASP A1:2021 Broken Access Control
- OWASP A3:2021 Injection
- OWASP A8:2021 Software and Data Integrity Failures
Security training
Application security training materials provided by Secure Code Warrior.
Extension
This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.