Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This rule is an instance of IDS02-J. Normalize strings before validating them.

Noncompliant Code Example

This noncompliant code example accepts a file path as a command line argument and uses the File.getAbsolutePath() method to obtain the absolute file path. This method does not automatically resolve symbolic links.

...

Note that File.getAbsolutePath() actually does resolve all symbolic links, aliases and short cuts on Windows and Macintosh platforms. Nevertheless, the JLS lacks any guarantee that this behavior is present on all platforms or that it will continue in future implementations.

Compliant Solution (getCanonicalPath())

This compliant solution uses the getCanonicalPath() method, introduced in Java 2, because it resolves all aliases, shortcuts or symbolic links consistently, across all platforms. The value of the alias (if any) is not included in the returned value. Moreover, relative references like the double period (..) are also removed so that the input is reduced to a canonicalized form before validation is carried out. An attacker cannot use ../ sequences to break out of the specified directory when the validate() method is present.

...

The getCanonicalPath() method throws a security exception when used within applets as it reveals too much information about the host machine. The getCanonicalFile() method behaves like getCanonicalPath() but returns a new File object instead of a String.

Compliant Solution (Security Manager)

A comprehensive way of handling this issue is to grant the application the permissions to operate only on files present within the intended directory — /tmp in this example. This compliant solution specifies the absolute path of the program in its security policy file, and grants java.io.FilePermission with target /tmp and actions read and write.

...

See rule ENV02-J. Create a secure sandbox using a Security Manager for additional information on using security managers.

Noncompliant Code Example

This noncompliant code example allows the user to specify the absolute path of a file name on which to operate. The user can specify files outside the intended directory (/img in this example) by entering an argument that contains ../ sequences, and consequently violate the intended security policies of the program.

Code Block
bgColor#FFCCCC
FileOutputStream fis = new FileOutputStream(new File("/img/" + args[0]));
// ...

Noncompliant Code Example

This noncompliant code example attempts to mitigate the issue by using the File.getCanonicalPath() method, which fully resolves the argument and constructs a canonicalized path. For example, the path /img/../etc/passwd resolves to /etc/passwd. Validation without canonicalization remains insecure because the user can specify files outside the intended directory.

Code Block
bgColor#FFCCCC
File f = new File("/img/" + args[0]);
String canonicalPath = f.getCanonicalPath();		  
FileOutputStream fis = new FileOutputStream(f);
// ...

Compliant Solution

This compliant solution obtains the file name from the untrusted user input, canonicalizes it and then validates it against the intended file name. It operates on the specified file only when validation succeeds.

Code Block
bgColor#ccccff
File f = new File("/img/" + args[0]);
String canonicalPath = f.getCanonicalPath();

if (canonicalPath.equals("/img/java/file1.txt")) {  // Validation
   // Do something
}

if (!canonicalPath.equals("/img/java/file2.txt")) {  // Validation
   // Do something
}

FileOutputStream fis = new FileOutputStream(f);		

Compliant solution (Security Manager)

A comprehensive solution is to grant the application the permissions to read only the specifically intended files or directories. Grant these permissions by to specifying the absolute path of the program in the security policy file and granting java.io.FilePermission with the canonicalized absolute path of the file or directory as the target name and with the action set to read.

...

See rule ENV02-J. Create a secure sandbox using a Security Manager for additional information on using security managers.

Risk Assessment

Using path names from untrusted sources without first canonicalizing them and then validating them can result in directory traversal attacks.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

IDS21-J

medium

unlikely

medium

P4

L3

Other Languages

This rule appears in the C Secure Coding Standard as FIO02-C. Canonicalize path names originating from untrusted sources.

This rule appears in the C++ Secure Coding Standard as FIO02-CPP. Canonicalize path names originating from untrusted sources.

Related Vulnerabilities

CVE-2005-0789

 

CVE-2008-5518

 

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="16d97a88488c16b8-07a900d4-4e8d4a1c-bf6483a6-6279b6faa422ccecb8b00319"><ac:plain-text-body><![CDATA[

[[MITRE 2009

AA. Bibliography#MITRE 09]]

[CWE ID 171

http://cwe.mitre.org/data/definitions/171.html] "Cleansing, Canonicalization, and Comparison Errors"]]></ac:plain-text-body></ac:structured-macro>

 

CWE ID 647 "Use of Non-Canonical URL Paths for Authorization Decisions"

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d1b08d7155d309a4-ed273d0e-407344fd-b151a5fb-4727d44318cff948e7a14e0b"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

[method getCanonicalPath()

http://java.sun.com/javase/6/docs/api/java/io/File.html#getCanonicalPath()]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d93b0eb4d2e80110-aef9a350-49f74ef8-a9bcaabd-2ebf9980197a9eefa7c8ba66"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

[method getCanonicalFile()

http://java.sun.com/javase/6/docs/api/java/io/File.html#getCanonicalFile()]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2a77047227988ba4-e50c8f8b-4a9c4bec-8d069acb-1dc106d444dd4647032f7467"><ac:plain-text-body><![CDATA[

[[Harold 1999

AA. Bibliography#Harold 99]]

 

]]></ac:plain-text-body></ac:structured-macro>

...