Unvalidated input in path construction

If a program uses external input to construct a pathname without special character neutralization, it can be left open to a path traversal attack. This checker reports defects when external strings that are used as parts of file paths are not checked properly.

Vulnerability and risk

A path traversal attack aims to get access to arbitrary files and directories including critical system or application data. A path traversal attack can also be used to provide malicious configuration for a program. It has been ranked as #12 in the Top 25 Most Dangerous Programming Errors.

Mitigation and prevention

To avoid this issue, it's best to add validation code before raw input is used as a pathname. The validation code must contain checks for the following cases:

  • dot-dot-slash ( ../ ): Using this sequence and its variations, an attacker could navigate your file system and obtain access to any file.
 Note that ( ../ ) can be presented in various encodings, for example, " ../../../etc/shadow " .
  • absolute paths: Using absolute paths in a situation when relative paths are expected could also provide access to arbitrary files in your system, for example, " /etc/shadow ".
  • null symbol : Using the null symbol may allow an attacker to truncate a generated filename to widen the scope of attack in a situation when an application restricts possible file extensions by checking or appending specific extension, for example, " application.cfg%00.pdf ".

Vulnerable code example

1  namespace Program
2  {
3      class Program
4      {
5          static void Main(string[] args)
6          {
7              string fileName = args[1];
8              using (BinaryWriter writer = new BinaryWriter(File.Open(fileName, FileMode.Create)))
9              {
10                writer.Write(1.250F);
11                writer.Write(@"c:\Temp");
12                writer.Write(10);
13                writer.Write(true);
14             }
15         }
16     }
17 }

In this example, Klocwork reports a defect because the "fileName" string is received through the "args" argument and is used as a pathname without being validated.

Fixed code example

1  namespace Test
2  {
3      class Program
4      {
5          static void Main(string[] args)
6          {
7              string fileName = args[1];
8              neutralize(fileName);
9              using (BinaryWriter writer = new BinaryWriter(File.Open(fileName, FileMode.Create)))
10             {
11                 writer.Write(1.250F);
12                 writer.Write(@"c:\Temp");
13                 writer.Write(10);
14                 writer.Write(true);
15             }
16         }
17         private static void neutralize(string fname)
18         {
19         }
20     }
21 }

Klocwork no longer reports a defect because the external input is passed to the "neutralize" function and is validated, making the path safe.

Security training

Application security training materials provided by Secure Code Warrior.