Path traversal
Stay organized with collections
Save and categorize content based on your preferences.
OWASP category: MASVS-STORAGE: Storage
Overview
Path traversal vulnerabilities occur when an attacker can control part of the
path that is then passed to the file system APIs without validation. This can
lead to unauthorized file system operations. For example, an attacker might use
special characters such as ../ to unexpectedly change the resource target, by
traversing outside of the targeted directory.
Impact
The impact varies depending on the operation and file content, but generally
leads to a file overwrite (when writing files), data leak (when reading files),
or permission changes (when changing file or directory permissions).
Mitigations
Canonicalize the path using File.getCanonicalPath() and compare the
prefix with the expected directory:
Kotlin
@Throws(IllegalArgumentException::class)
fun saferOpenFile(path: String, expectedDir: String?): File {
val f = File(path)
val canonicalPath = f.canonicalPath
require(canonicalPath.startsWith(expectedDir!!))
return f
}
Java
public File saferOpenFile (String path, String expectedDir) throws IllegalArgumentException {
File f = new File(path);
String canonicalPath = f.getCanonicalPath();
if (!canonicalPath.startsWith(expectedDir)) {
throw new IllegalArgumentException();
}
return f;
}
An additional best practice is to use validation to ensure only expected
outcomes occur. Examples include the following:
- Checking if the file already exists to prevent an accidental overwrite.
- Checking if the targeted file is an expected target to prevent leaking data or
incorrectly changing permissions.
- Checking if the current directory of the operation is exactly as expected in
the return value from the canonical path.
- Ensuring a permissions system is explicitly scoped to the operation, such as
checking that it isn't running services as root, and ensuring that the directory
permissions are scoped to the service or command specified.
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2024-10-30 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-10-30 UTC."],[],[],null,["# Path traversal\n\n\u003cbr /\u003e\n\n**OWASP category:** [MASVS-STORAGE: Storage](https://mas.owasp.org/MASVS/05-MASVS-STORAGE)\n\nOverview\n--------\n\nPath traversal vulnerabilities occur when an attacker can control part of the\npath that is then passed to the file system APIs without validation. This can\nlead to unauthorized file system operations. For example, an attacker might use\nspecial characters such as `../` to unexpectedly change the resource target, by\ntraversing outside of the targeted directory.\n\nImpact\n------\n\nThe impact varies depending on the operation and file content, but generally\nleads to a file overwrite (when writing files), data leak (when reading files),\nor permission changes (when changing file or directory permissions).\n\nMitigations\n-----------\n\nCanonicalize the path using [`File.getCanonicalPath()`](/reference/java/io/File#getCanonicalPath()) and compare the\nprefix with the expected directory: \n\n### Kotlin\n\n @Throws(IllegalArgumentException::class)\n fun saferOpenFile(path: String, expectedDir: String?): File {\n val f = File(path)\n val canonicalPath = f.canonicalPath\n require(canonicalPath.startsWith(expectedDir!!))\n return f\n }\n\n### Java\n\n public File saferOpenFile (String path, String expectedDir) throws IllegalArgumentException {\n File f = new File(path);\n String canonicalPath = f.getCanonicalPath();\n if (!canonicalPath.startsWith(expectedDir)) {\n throw new IllegalArgumentException();\n }\n return f;\n }\n\nAn additional best practice is to use validation to ensure only expected\noutcomes occur. Examples include the following:\n\n- Checking if the file already exists to prevent an accidental overwrite.\n- Checking if the targeted file is an expected target to prevent leaking data or incorrectly changing permissions.\n- Checking if the current directory of the operation is exactly as expected in the return value from the canonical path.\n- Ensuring a permissions system is explicitly scoped to the operation, such as checking that it isn't running services as root, and ensuring that the directory permissions are scoped to the service or command specified."]]
