Page History

According to the Java API \[[API 2006|AA. Bibliography#API 06]\] for class {{java.io.File}},

A path name, whether abstract or in string form, may be either absolute or relative. An absolute path name is complete in that no other information is required to locate the file that it denotes. A relative path name, in contrast, must be interpreted in terms of information taken from some other path name.

...

The process of canonicalizing file names makes it easier to validate an path name. More than one path name can refer to a single directory or file. Further, the textual representation of an a path name may yield little or no information regarding the directory or file to which it refers. Consequently, all path names must be fully resolved or canonicalized before validation.

Validation may be necessary, for example, when attempting to restrict user access to files within a particular directory , or otherwise making security decisions based upon the name of a file name or path name. Frequently, these restrictions can be circumvented by an attacker by exploiting a directory traversal or path equivalence vulnerability. A directory traversal vulnerability allows an I/O operation to escape a specified operating directory. A path equivalence vulnerabilities occur vulnerability occurs when an attacker provides a different but equivalent name for a resource to bypass security checks.

...

During this time the canonical path name may have been modified and may no longer be referencing a valid file. The canonical path name can be used to determine if the referenced file name is in a secure directory (see FIO00-J. Do not operate on files in shared directories). If the referenced file is in a secure directory, then by definition, an attacker cannot tamper with it , and cannot exploit the race condition.

...

public static void main(String[] args) {
  File f = new File("/home/me/" + args[0]);
  String absPath = f.getAbsolutePath();

  if (!isInSecureDir(Paths.get(absPath))) {
    throw new IllegalArgumentException();
  }
  if (!validate(absPath)) {  // Validation
    throw new IllegalArgumentException();
  }		  
}

The application intends to restrict the user me from operating on files outside the /home/me directory. The validate() method ensures that the path name resides within this directory, but the validation can be easily circumvented. For example, the user me can create a link in their home directory /home/me that refers to a directory or file outside of the directory. The path name of the link might appear to the validate() method to reside in the /home/me and consequently pass validation, but the operation will actually be performed on the final target of the link, which resides outside the intended directory.

...

The getCanonicalPath() method throws a security exception when used within applets as because it reveals too much information about the host machine. The getCanonicalFile() method behaves like getCanonicalPath() but returns a new File object instead of a String.

...

A comprehensive way of handling this issue is to grant the application the permissions to operate only on files present within the intended directory — /home/me in this example. This compliant solution specifies the absolute path of the program in its security policy file , and grants java.io.FilePermission with target /home/me and actions read and write.

...

This noncompliant code example allows the user to specify the absolute path of a file name on which to operate. The user can specify files outside the intended directory (/img in this example) by entering an argument that contains ../ sequences , and consequently violate the intended security policies of the program.

...

File f = new File("/img/" + args[0]);
String canonicalPath = f.getCanonicalPath();		  
FileOutputStream fis = new FileOutputStream(f);
// ...

...

This compliant solution obtains the file name from the untrusted user input, canonicalizes it, and then validates it against the intended file name. It operates on the specified file only when validation succeeds.

File f = new File("/img/" + args[0]);
String canonicalPath = f.getCanonicalPath();

if (canonicalPath.equals("/img/java/file1.txt")) {  // Validation
   // Do something
}

if (!canonicalPath.equals("/img/java/file2.txt")) {  // Validation
   // Do something
}

FileInputStream fis = new FileInputStream(f);		

The /img/java directory must be secure to eliminate any race condition.

Compliant

...

Solution (Security Manager)

This compliant solution grants the application the permissions to read only the intended files or directories. For example, read permission is granted by specifying the absolute path of the program in the security policy file and granting java.io.FilePermission with the canonicalized absolute path of the file or directory as the target name and with the action set to read.

...

CVE-2005-0789 describes a directory traversal vulnerability in LimeWire 3.9.6 through 4.6.0 that allows remote attackers to read arbitrary files via a .. (dot dot) in a magnet request.

CVE-2008-5518 describes multiple directory traversal vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 on Windows that allow remote attackers to upload files to arbitrary directories.

...

...

...