SV.TAINTED.PATH_TRAVERSAL

Unvalidated input in path construction

If a program uses external input to construct a pathname without special character neutralization, it can be left open to a path traversal attack. This checker reports defects when external strings that are used as parts of file paths are not checked properly.

Vulnerability and risk

A path traversal attack aims to get access to arbitrary files and directories including critical system or application data. A path traversal attack can also be used to provide malicious configuration for a program. It has been ranked as #13 in the Top 25 Most Dangerous Programming Errors.

Mitigation and prevention

To avoid this issue, it's best to add validation code before raw input is used as a pathname. The validation code must contain checks for the following cases:

• dot-dot-slash ( ../ ): Using this sequence and its variations, an attacker could navigate your file system and obtain access to any file.
 Note that ( ../ ) can be presented in various encodings, for example, " ../../../etc/shadow " .
• absolute paths: Using absolute paths in a situation when relative paths are expected could also provide access to arbitrary files in your system, for example, " /etc/shadow ".
• null symbol : Using the null symbol may allow an attacker to truncate a generated filename to widen the scope of attack in a situation when an application restricts possible file extensions by checking or appending specific extension, for example, " application.cfg%00.pdf ".

Vulnerable code example

1
2
3
4
5
6
7
8
9
10
11
  main.c
  #include <stdio.h>
  int main(int argc, char **argv) {
    char *name = argv[1];
    FILE *user_config = fopen(name, "r");
    if (user_config == NULL) {
      return 1;
    }
    fclose(user_config);
    return 0;
  }

Klocwork reports a defect in this example because the "name" string is received through the "argv" argument and is used as a pathname without being validated.

Fixed code example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
  check.h
  char* neutralize(char *);
  main.c
  #include <stdio.h>
  #include "check.h"
  int main(int argc, char **argv) {
     char *name = argv[1];
     name = neutralize(name);
     FILE *user_config = fopen(name, "r");
    if (user_config == NULL) {
       return 1;
    }
    fclose(user_config);
    return 0;
    }

      check.kb
      neutralize - TSCheckPT 1 : $1 : 1

Klocwork will not report a defect in this example because the external input is passed to the "neutralize" function and is validated, making the path safe.

Related checkers

• SV.CODE_INJECTION.SHELL_EXEC
• SV.DLLPRELOAD.NONABSOLUTE.DLL
• SV.DLLPRELOAD.NONABSOLUTE.EXE
• SV.DLLPRELOAD.SEARCHPATH

External guidance

• CWE-20: Improper Input Validation
• CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
• CWE-426: Untrusted Search Path
• CWE-896: None
• OWASP A1:2021 Broken Access Control
• OWASP A3:2021 Injection
• OWASP A8:2021 Software and Data Integrity Failures

Security training

Application security training materials provided by Secure Code Warrior.

• Path Traversal Training Video - Test your skills with a training example
• Resource Injection Training Video - Test your skills with a training example

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.