codeql/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalRemainder.inc.qhelp at a98d93b98b54e4e4e7fd38fcb11d5de9f24ac990 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<!DOCTYPE qhelp PUBLIC
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
<qhelp>

<recommendation>

<p>If the user should only access items within a certain directory <code>DIR</code>, ensure that <code>DIR</code> is slash-terminated
before checking that <code>DIR</code> is a prefix of the user-provided path, <code>SUBDIR</code>. Note, Java's <code>getCanonicalPath()</code>
returns a <b>non</b>-slash-terminated path string, so a slash must be added to <code>DIR</code> if that method is used.</p>

</recommendation>
<example>

<p>


In this example, the <code>if</code> statement checks if <code>parent.getCanonicalPath()</code>
is a prefix of <code>dir.getCanonicalPath()</code>. However, <code>parent.getCanonicalPath()</code> is
not slash-terminated.  This means that users that supply <code>dir</code> may be also allowed to access siblings of <code>parent</code>
and not just children of <code>parent</code>, which is a security issue.

</p>

<sample src="PartialPathTraversalBad.java" />

<p>

In this example, the <code>if</code> statement checks if <code>parent.toPath()</code>
is a prefix of <code>dir.normalize()</code>. Because <code>Path#startsWith</code> does the correct check that
<code>dir</code> is a child of <code>parent</code>, users will not be able to access siblings of <code>parent</code>, as desired.

</p>

<sample src="PartialPathTraversalGood.java" />

</example>
<references>

<li>OWASP:
<a href="https://owasp.org/www-community/attacks/Path_Traversal">Partial Path Traversal</a>.</li>
<li>CVE-2022-23457:
<a href="https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md"> ESAPI Vulnerability Report</a>.</li>

</references>


</qhelp>