Local file inclusion
Need
Prevention of unauthorized access to sensitive files on the server
Context
• Usage of TypeScript for statically typed JavaScript development
• Usage of Express for building web applications and handling HTTP requests
• Usage of path for working with file and directory paths
Description
1. Non compliant code
import express from 'express';
import path from 'path';
const app = express();
app.get('/file', (req, res) => {
  const filePath = req.query.path;
  res.sendFile(absolutePath);...The vulnerability in this code is a Local File Inclusion (LFI) vulnerability. It occurs in the `/file` route handler where the application takes a query parameter `path` from the user and uses it to construct an absolute file path using the `path.join()` function. The issue is that the application does not validate or sanitize the `path` parameter, allowing an attacker to manipulate it and potentially access sensitive files on the server. By providing a relative path or by traversing directories, an attacker can read or execute arbitrary files on the server. For example, an attacker could make a request to `/file?path=../config/database.json` to read the contents of the database configuration file, which may contain sensitive information such as database credentials. This vulnerability can have severe consequences as it allows an attacker to visualize the content of sensitive files, obtain sensitive data, or even read system files. To mitigate this vulnerability, the application should validate and sanitize the `path` parameter to ensure it does not contain any relative paths or directory traversal sequences. Additionally, it is recommended to disable insecure functions that allow reading of arbitrary files on the server.
2. Steps
• Validate the `filePath` parameter to ensure it does not contain relative paths.
• Disable insecure functions that allow reading of arbitrary files on the server.
• Implement proper error handling for file not found or access denied scenarios.
3. Secure code example
import express from 'express';
import path from 'path';
const app = express();
app.get('/file', (req, res) => {
  const filePath = req.query.path;
  // Step 1: Validate the filePath parameter...The fixed code addresses the vulnerability by implementing several measures. 1. Validation of the filePath parameter: - The code checks if the filePath parameter is provided and if it is an absolute path using the `path.isAbsolute()` function. - If the filePath is missing or not an absolute path, the code returns a 400 Bad Request response, indicating an invalid file path. 2. Disabling insecure functions: - The code includes a commented line that disables the insecure function for reading arbitrary files. - By commenting out this line, the code prevents the execution of insecure functions that could allow unauthorized access to sensitive files on the server. 3. Proper error handling: - The code uses a try-catch block to handle any potential errors that may occur during file handling. - If an error occurs, it is logged to the console, and a 500 Internal Server Error response is sent to the client. Overall, the fixed code ensures that the filePath parameter is validated and only allows absolute paths. It also disables insecure functions and implements proper error handling to prevent unauthorized access to sensitive files and provide a more secure application.
References
• 123. Local file inclusion