...
Absolute or relative path names may contain file links such as symbolic (soft) links, hard links, short cuts, shadows, aliases, and junctions rather than canonical paths. These aliases file links must be fully resolved before any file validation operations are performed. For example, the final target of a symbolic link called trace might be the path name /home/system/trace. Path names may also contain special file names that make validation difficult:
...
This noncompliant code example accepts a file path as a command line argument and uses the File.getAbsolutePath() method to obtain the absolute file path. It also uses the isInSecureDir() method defined in FIO00-J. Do not operate on files in shared directories (or equivalent method) to ensure that the file is in a secure directory but . But it does not resolve file links or eliminate equivalence errors.
...
The application intends to restrict the user me from operating on files outside the /home/me directory. The validate() method ensures that the path name resides within this directory, but the validation can be easily circumvented. For example, the user me can create a link in their home directory /home/me that refers to a directory or file outside of the their home directory. The path name of the link might appear to the validate() method to reside in /home/me and consequently pass validation, but the operation will actually be performed on the final target of the link, which resides outside the intended directory.
...
This noncompliant code example allows the user to specify the absolute path of a file name on which to operate. The user can specify files outside the intended directory (/img in this example) by entering an argument that contains ../ sequences and consequently violate violates the intended security policies of the program.
...
This noncompliant code example attempts to mitigate the issue by using the File.getCanonicalPath() method, which fully resolves the argument and constructs a canonicalized path. For example, the path /img/../etc/passwd resolves to /etc/passwd. Canonicalization without validation is insecure insufficient because the user can specify files outside the intended directory.
...
FIO02-C. Canonicalize path names originating from untrusted sources | ||||
FIO02-CPP. Canonicalize path names originating from untrusted sources | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="47912abb59fdbbef-19a16324-4e7b46ee-80dca109-c37fa00f5e6fe630a17050fe"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | "Path Traversal [EWR]" | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-171, "Cleansing, Canonicalization, and Comparison Errors" | ||||
| CWE-647, "Use of Non-Canonical URL Paths for Authorization Decisions" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c1b9953c46150c07-fbb56bbf-4e524087-aa7f9a82-5232d59441ed8994e9fdb087"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [method getCanonicalPath() | http://java.sun.com/javase/6/docs/api/java/io/File.html#getCanonicalPath()] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="87ad7db73b344006-f97cad9b-41a545e2-96688f2e-a9840464cd3ea47324e06962"><ac:plain-text-body><![CDATA[ | [[Harold 1999 | AA. Bibliography#Harold 99]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
...