You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
if script receive path back / to the root of the system, how was os.Stat behave?
Accessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.
Recommendation
Validate user input before using it to construct a file path, either using an off-the-shelf library or by performing custom validation.
Ideally, follow these rules:
Do not allow more than a single "." character.
Do not allow directory separators such as "/" or "" (depending on the file system).
Do not rely on simply replacing problematic sequences such as "../". For example, after applying this filter to ".../...//", the resulting string would still be "../".
Use an allowlist of known good patterns.
Example
In the first example, a file name is read from an HTTP request and then used to access a file. However, a malicious user could enter a file name which is an absolute path, such as "/etc/passwd".
In the second example, it appears that the user is restricted to opening a file within the "user" home directory. However, a malicious user could enter a file name containing special characters. For example, the string "../../etc/passwd" will result in the code reading the file located at "/home/user/../../etc/passwd", which is the system's password file. This file would then be sent back to the user, giving them access to password information.
package main
import (
"io/ioutil""net/http""path/filepath"
)
funchandler(w http.ResponseWriter, r*http.Request) {
path:=r.URL.Query()["path"][0]
// BAD: This could read any file on the file systemdata, _:=ioutil.ReadFile(path)
w.Write(data)
// BAD: This could still read any file on the file systemdata, _=ioutil.ReadFile(filepath.Join("/home/user/", path))
w.Write(data)
}
prest/adapters/postgres/queries.go
Line 39 in 033bf64
if
script
receive path back/
to the root of the system, how wasos.Stat
behave?Accessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.
Recommendation
Validate user input before using it to construct a file path, either using an off-the-shelf library or by performing custom validation.
Ideally, follow these rules:
Example
In the first example, a file name is read from an HTTP request and then used to access a file. However, a malicious user could enter a file name which is an absolute path, such as "/etc/passwd".
In the second example, it appears that the user is restricted to opening a file within the
"user"
home directory. However, a malicious user could enter a file name containing special characters. For example, the string"../../etc/passwd"
will result in the code reading the file located at "/home/user/../../etc/passwd", which is the system's password file. This file would then be sent back to the user, giving them access to password information.References
The text was updated successfully, but these errors were encountered: