Lack of data validation - Path Traversal

Need

Prevent unauthorized access to files and directories outside the intended path scope.

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug and Cowboy for HTTP request and response handling

• File access or operations based on user-supplied path

Description

1. Non compliant code

defmodule VulnerableApp do
  use Plug.Router

  plug :match
  plug :dispatch

  get '/read_file' do
    file_content = File.read!(path)...

This code takes a user-supplied path to read a file without validating or sanitizing the input, allowing an attacker to access files outside the intended directory.

2. Steps

• Always validate and sanitize user-supplied input.

• Prevent the user from supplying the full path; consider using identifiers to reference files or directories.

• Use a whitelist of allowed paths or files.

• Check for path traversal sequences (.., ~, /) in the user input and neutralize them.

3. Secure code example

defmodule SecureApp do
  use Plug.Router

  plug :match
  plug :dispatch

  get '/read_file' do
    if valid_path?(path) do...

This code validates and sanitizes the user-supplied path before reading the file, effectively preventing path traversal attacks.

References

• 063. Lack of data validation - Path Traversal

On this page