Page History

...

This noncompliant code example accepts a file path as a command-line argument and uses the File.getAbsolutePath() method to obtain the absolute file path. It also uses the isInSecureDir() method defined in rule FIO00-J. Do not operate on files in shared directories to ensure that the file is in a secure directory. However, it neither resolves file links nor eliminates equivalence errors.

public static void main(String[] args) {
  File f = new File(System.getProperty("user.home") + System.getProperty("file.separator") + args[0]);
  String absPath = f.getAbsolutePath();

  if (!isInSecureDir(Paths.get(absPath))) {
    throw new IllegalArgumentException();
  }
  if (!validate(absPath)) {  // Validation
    throw new IllegalArgumentException();
  }
}

...

This compliant solution uses the getCanonicalPath() method, introduced in Java 2, because it resolves all aliases, shortcuts, and symbolic links consistently across all platforms. Special file names such as dot dot (..) are also removed so that the input is reduced to a canonicalized form before validation is carried out. An attacker cannot use ../ sequences to break out of the specified directory when the validate() method is present.

public static void main(String[] args) throws IOException {
  File f = new File(System.getProperty("user.home") + System.getProperty("file.separator")+ args[0]);
  String canonicalPath = f.getCanonicalPath();

  if (!isInSecureDir(Paths.get(canonicalPath))) {
    throw new IllegalArgumentException();
  }
  if (!validate(canonicalPath)) {  // Validation
    throw new IllegalArgumentException();
  }
}

...

A comprehensive way of handling this issue is to grant the application the permissions to operate only on files present within the intended directory — the user's home directory in this example. This compliant solution specifies the absolute path of the program in its security policy file and grants java.io.FilePermission with target ${user.home}/* and actions read and write.

grant codeBase "file:/home/programpath/" {
  permission java.io.FilePermission "${user.home}/*", "read, write";
};

...

This noncompliant code example allows the user to specify the absolute path of a file name on which to operate. The user can specify files outside the intended directory (/img in this example) by entering an argument that contains ../ sequences and consequently violates the intended security policies of the program.

FileOutputStream fis = new FileOutputStream(new File("/img/" + args[0]));
// ...

...

This noncompliant code example attempts to mitigate the issue by using the File.getCanonicalPath() method, which fully resolves the argument and constructs a canonicalized path. For example, the path /img/../etc/passwd resolves to /etc/passwd. Canonicalization without validation is insufficient because an attacker can specify files outside the intended directory.

File f = new File("/img/" + args[0]);
String canonicalPath = f.getCanonicalPath();
FileOutputStream fis = new FileOutputStream(f);
// ...

...

This compliant solution obtains the file name from the untrusted user input, canonicalizes it, and then validates it against a list of benign pathnames. It operates on the specified file only when validation succeeds; that is, only if the file is one of the two valid files file1.txt or file2.txt in /img/java.

File f = new File("/img/" + args[0]);
String canonicalPath = f.getCanonicalPath();

if (!canonicalPath.equals("/img/java/file1.txt") &&
    !canonicalPath.equals("/img/java/file2.txt")) {
   // Invalid file; handle error
}

FileInputStream fis = new FileInputStream(f);

...

This compliant solution grants the application the permissions to read only the intended files or directories. For example, read permission is granted by specifying the absolute path of the program in the security policy file and granting java.io.FilePermission with the canonicalized absolute path of the file or directory as the target name and with the action set to read.

// All files in /img/java can be read
grant codeBase "file:/home/programpath/" {
  permission java.io.FilePermission "/img/java", "read";
};

...

Automated Detection

Related Vulnerabilities

CVE-2005-0789 describes a directory traversal vulnerability in LimeWire 3.9.6 through 4.6.0 that allows remote attackers to read arbitrary files via a .. (dot dot) in a magnet request.

...