logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Lack of data validation - Path Traversal - Python

Need

Implementation of proper input validation and sanitization to prevent path traversal attacks.

Context

  1. Usage of Python 3 for writing and executing Python code
  2. Usage of Django for building web applications in Python

Description

Insecure Code Example

from django.http import FileResponse

def serve_file(request, file_path):
    return FileResponse(open(file_path, 'rb'))

The function `serve_file` takes a `request` object and a `file_path` string as inputs. It is intended to return a `FileResponse` object which contains the content of the file located at `file_path`. However, this function does not validate or sanitize the `file_path` input in any way. This means that a user could potentially provide a `file_path` that includes special elements, such as `../`, to traverse to directories that should not be accessible. For example, a malicious user could provide a `file_path` of `../../../../etc/passwd` to access the system's password file. This is a serious security vulnerability known as Path Traversal, which can lead to unauthorized access to files and data.

Steps

  1. Validate the file_path input to ensure it is safe and expected. This can be done using regular expressions or a whitelist of allowed inputs.
  2. Use a library or built-in function to sanitize the file_path input. This will remove or escape any special characters that could be used in a path traversal attack.
  3. Implement a mechanism to map user-supplied file names to the actual file names on the server. This way, the user does not have direct access to the file system.
  4. Use a built-in function to resolve the absolute path of the file. This will ensure that the file_path input cannot be used to navigate to other directories.
  5. Limit the permissions of the user running the application. This will limit the potential damage of a path traversal attack.

Secure Code Example

import os
from django.http import FileResponse, HttpResponseBadRequest

def serve_file(request, file_path):
    # Validate the file_path input to ensure it is safe and expected
    if not os.path.isfile(file_path) or ".." in file_path:
        return HttpResponseBadRequest("Invalid file path.")
    
    # Use a built-in function to resolve the absolute path of the file
    absolute_path = os.path.abspath(file_path)
    
    # Implement a mechanism to map user-supplied file names to the actual file names on the server
    # In this case, we are simply using the absolute path of the file
    mapped_path = absolute_path
    
    return FileResponse(open(mapped_path, 'rb'))

The updated code includes several measures to prevent path traversal attacks: 1. **Input Validation**: The `os.path.isfile(file_path)` function checks if the `file_path` input corresponds to an existing file. The `".." in file_path` condition checks if the input contains "..", which is a special character sequence used in path traversal attacks. If the input is not a valid file path or contains "..", the function returns an HTTP 400 Bad Request response. 2. **Path Resolution**: The `os.path.abspath(file_path)` function is used to resolve the absolute path of the file. This ensures that the `file_path` input cannot be used to navigate to other directories. 3. **Path Mapping**: The `mapped_path` variable is used to map user-supplied file names to the actual file names on the server. In this case, we are simply using the absolute path of the file. This way, the user does not have direct access to the file system. 4. **File Access**: The `FileResponse(open(mapped_path, 'rb'))` line opens the file in binary mode for reading and returns it as a response. This is done under the permissions of the user running the application, which should be limited to prevent potential damage from a path traversal attack.

References

  • 063 - Lack of data validation - Path Traversal

    • Last updated

    2023/09/18