Page History

Wiki MarkupAccording to the Java API \ [[API 2006|AA. Bibliography#API 06]\], class {{] for class java.io.File}}:

A path namepathname, whether abstract or in string form, may be either absolute or relative. An absolute path name pathname is complete in that no other information is required to locate the file that it denotes. A relative path namepathname, in contrast, must be interpreted in terms of information taken from some other path namepathname.

Absolute or relative path names may contain file links such as symbolic (soft) links, hard links, short cutsshortcuts, shadows, aliases, and junctions rather than canonical paths. These aliases file links must be fully resolved before any file validation operations are performed. For example, the final target of a symbolic link called trace might be the path name /home/system/trace. Path names may also contain special file names that make validation difficult:

1. “".” " refers to the directory itself.
2. Inside a directory, the special file name “"..” " refers to the directory’s directory's parent directory.

In addition to these specific issues, there are a wide variety of operating system–specific and file system specific system–specific naming conventions which make validation difficult.

The process of canonicalizing Canonicalizing file names makes it easier to validate an a path name. More than one path name can refer to a single directory or file. Further, the textual representation of an a path name may yield little or no information regarding the directory or file to which it refers. Consequently, all path names must be fully resolved or canonicalized before validation.

This is necessary because operating on untrusted user input may result in Validation may be necessary, for example, when attempting to restrict user access to files within a particular directory or to otherwise make security decisions based on the name of a file name or path name. Frequently, these restrictions can be circumvented by an attacker by exploiting a directory traversal or path equivalence vulnerability. A directory traversal vulnerability allows an I/O operation to escape a specified operating directory. A path equivalence vulnerabilities occur vulnerability occurs when an attacker provides a different but equivalent name for a resource to bypass security checks.

Canonicalization contains an inherent race condition window between the time you

...

the program obtains the canonical path name

...

During this time and the time it opens the file. While the canonical path name is being validated, the file system may have been modified and the canonical path name may no longer be referencing a valid filereference the original valid file. Fortunately, this race condition can be easily mitigated. The canonical path name can be used to determine if whether the referenced file name is in a secure directory (see FIO00-J. Do not operate on files in shared directories for more information). If the referenced file is in a secure directory, then, by definition, an attacker cannot tamper with it , and cannot exploit the race condition.

This rule recommendation is a specific instance of IDS01-J. Normalize strings before validating them.

Noncompliant Code Example

This noncompliant code example accepts a file path as a command line argument and uses the File.getAbsolutePath() method to obtain the absolute file path. It also uses the isInSecureDir() method allows the user to specify the path of an image file to open. By prepending /img/ to the directory, this code enforces a policy that only files in this directory should be opened. The program also uses the isInSecureDir() method defined in FIO00-J. Do not operate on files in shared directories to ensure that the file is in a secure directory. But it does not resolve file links or eliminate equivalence errors. 

However, the user can still specify a file outside the intended directory by entering an argument that contains ../ sequences.  An attacker can also create a link in the /img directory that refers to a directory or file outside of that directory. The path name of the link might appear to reside in the /img directory and consequently pass validation, but the operation will actually be performed on the final target of the link, which can reside outside the intended directory.

File file
public static void main(String[] args) {
  File f = new File("/home/meimg/" + args[0]);
  String absPath = f.getAbsolutePath();

  if (!isInSecureDir(Paths.get( absPath)file)) {
    throw new IllegalArgumentException();
  }
FileOutputStream  if (!validate(absPath)) {  // Validation
    throw new IllegalArgumentException();
  }		  
}

The application intends to restrict the user from operating on files outside the {{/home/me}} directory and uses a {{validate()}} method to enforce this condition. The path name validation can be easily circumvented.  For example, if the directory were not seucre, an attacker who can create symbolic links in {{/home/me}} can cause the program to pass validation checks by supplying the unresolved path. All file operations performed are reflected in the file pointed to by the symbolic link. If the string {{filename}} is passed as {{argv\[0\]}} and {{/home/me/filename}} is a symbolic link that refers to {{/dirname/filename}} the validation passes.  This is because the root directory of the compiled path name is still {{/home/me}}, but the operations are carried out on the file {{/dirname/filename}}.

Note that File.getAbsolutePath() does resolve symbolic links, aliases, and short cuts on Windows and Macintosh platforms. Nevertheless, the JLS lacks any guarantee that this behavior is present on all platforms or that it will continue in future implementations.

fis = new FileOutputStream(file);
// ...

Noncompliant Code Example

...

(getCanonicalPath())

This compliant solution uses the noncompliant code example attempts to mitigate the issue by using the File.getCanonicalPath() method, introduced in Java 2, because it resolves all aliases, shortcuts, or symbolic links consistently across all platforms. Special which fully resolves the argument and constructs a canonicalized path. Special file names such as dot dot (..) are also removed so that the input is reduced to a canonicalized form before validation is carried out. An attacker cannot use ../ sequences to break out of the specified directory when the validate() method is present.

public static void main(String[] args) throws IOException {
  File f = new File("/home/me/" + args[0]);
  String canonicalPath = f.getCanonicalPath();

  if (!isInSecureDir(Paths.get(canonicalPath))) {
    throw new IllegalArgumentException();
  }
  if (!validate(canonicalPath)) {  // Validation
    throw new IllegalArgumentException();
  }
}

The  For example, the path /img/../etc/passwd resolves to /etc/passwd. The getCanonicalPath() method throws a security exception when used within in applets as because it reveals too much information about the host machine. The getCanonicalFile() method behaves like getCanonicalPath() but returns a new File object instead of a String.

Compliant Solution (Security Manager)

A comprehensive way of handling this issue is to grant the application the permissions to operate only on files present within the intended directory — /home/me in this example. This compliant solution specifies the absolute path of the program in its security policy file, and grants java.io.FilePermission with target /home/me and actions read and write.

grant codeBase "file:/home/programpath/" {
  permission java.io.FilePermission "/home/me", "read, write";
};

This solution does require that /home/me must be a secure directory, and associated code should check this requirement and abort if it is not met.

Noncompliant Code Example

This noncompliant code example allows the user to specify the absolute path of a file name on which to operate. The user can specify files outside the intended directory (/img in this example) by entering an argument that contains ../ sequences, and consequently violate the intended security policies of the programUnfortunately, the canonicalization is performed after the validation, which renders the validation ineffective.

FileOutputStreamFile fisfile = new FileOutputStream(new File("/img/" + args[0]));
// ...

Noncompliant Code Example

The following code examples assume that /img and /img/java are secure directories.

This noncompliant code example attempts to mitigate the issue by using the File.getCanonicalPath() method, which fully resolves the argument and constructs a canonicalized path. For example, the path /img/../etc/passwd resolves to /etc/passwd. Validation without canonicalization remains insecure because the user can specify files outside the intended directory.

File f = new File("/img/" + args[0]);
if (!isInSecureDir(file)) {
  throw new IllegalArgumentException();
}
String canonicalPath = ffile.getCanonicalPath();		  
FileOutputStream fis = new FileOutputStream(fcanonicalPath);
// ...

Compliant

...

Solution (getCanonicalPath())

This compliant solution obtains the file name from the untrusted user input, canonicalizes it, and then validates it against the intended file namea list of benign path names. It operates on the specified file only when validation succeeds, that is, only if the file is one of the two valid files file1.txt or file2.txt in /img/java.

File ffile = new File("/img/" + args[0]);
if (!isInSecureDir(file)) {
  throw new IllegalArgumentException();
}
String canonicalPath = ffile.getCanonicalPath();

if (!canonicalPath.equals("/img/java/file1.txt")) {  // Validation&&
   // Do something
}

if (!canonicalPath.equals("/img/java/file2.txt")) {
   // Validation
Invalid file;  // Do somethinghandle error
}

FileOutputStreamFileInputStream fis = new FileOutputStreamFileInputStream(f);		

Compliant

...

Solution (Security Manager)

A comprehensive solution way to handle this issue is to grant the application the permissions to read operate only on files present within the specifically intended files or directories. Grant these permissions by to specifying intended directory—the /img directory in this example. This compliant solution specifies the absolute path of the program in the its security policy file and granting grants java.io.FilePermission with the canonicalized absolute path of the file or directory as the target name and with the action set to readtarget /img/java and the read action.
This solution requires that the /img directory is a secure directory, as described in FIO00-J. Do not operate on files in shared directories.

// All files in /img/java can be read
grant codeBase "file:/home/programpath/" {
  permission java.io.FilePermission "/img/java", "read";
};

Risk Assessment

Using path names from untrusted sources without first canonicalizing them and then validating them can result in directory traversal and path equivalence vulnerabilities.

Automated Detection

Related Vulnerabilities

CVE-2005-0789 describes a directory traversal vulnerability in LimeWire 3.9.6 through 4.6.0 that allows remote attackers to read arbitrary files via a .. (dot dot) in a magnet request.

CVE-2008-5518 describes multiple directory traversal vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 on Windows that allow remote attackers to upload files to arbitrary directories.

Related Guidelines

Bibliography

Android Implementation Details

This rule is applicable in principle to Android. Please refer to the Android-specific instance of this rule: DRD08-J. Always canonicalize a URL received by a content provider.

Bibliography

...

Image Added Image Added Image AddedImage Removed      Image Removed      IDS03-J. Validate all data passed in through environment variables and non-default properties