Lack of data validation - Path Traversal

Need

Implementation of proper input validation and sanitization to prevent path traversal attacks.

Context

Usage of Python 3 for writing and executing Python code
Usage of Django for building web applications in Python

Description

Non compliant code

from django.http import FileResponse

def serve_file(request, file_path):
    return FileResponse(open(file_path, 'rb'))

The function serve_file takes a request object and a file_path string as inputs. It is intended to return a FileResponse object which contains the content of the file located at file_path.

However, this function does not validate or sanitize the file_path input in any way. This means that a user could potentially provide a file_path that includes special elements, such as ../, to traverse to directories that should not be accessible.

For example, a malicious user could provide a file_path of ../../../../etc/passwd to access the system's password file. This is a serious security vulnerability known as Path Traversal, which can lead to unauthorized access to files and data.

Steps

Validate the file_path input to ensure it is safe and expected. This can be done using regular expressions or a whitelist of allowed inputs.
Use a library or built-in function to sanitize the file_path input. This will remove or escape any special characters that could be used in a path traversal attack.
Implement a mechanism to map user-supplied file names to the actual file names on the server. This way, the user does not have direct access to the file system.
Use a built-in function to resolve the absolute path of the file. This will ensure that the file_path input cannot be used to navigate to other directories.
Limit the permissions of the user running the application. This will limit the potential damage of a path traversal attack.

Compliant code

import os
from django.http import FileResponse, HttpResponseBadRequest

def serve_file(request, file_path):
    # Validate the file_path input to ensure it is safe and expected
    if not os.path.isfile(file_path) or ".." in file_path:
        return HttpResponseBadRequest("Invalid file path.")
    
    # Use a built-in function to resolve the absolute path of the file
    absolute_path = os.path.abspath(file_path)
    
    # Implement a mechanism to map user-supplied file names to the actual file names on the server
    # In this case, we are simply using the absolute path of the file
    mapped_path = absolute_path
    
    return FileResponse(open(mapped_path, 'rb'))

The updated code includes several measures to prevent path traversal attacks:

Input Validation: The os.path.isfile(file_path) function checks if the file_path input corresponds to an existing file. The ".." in file_path condition checks if the input contains "..", which is a special character sequence used in path traversal attacks. If the input is not a valid file path or contains "..", the function returns an HTTP 400 Bad Request response.
Path Resolution: The os.path.abspath(file_path) function is used to resolve the absolute path of the file. This ensures that the file_path input cannot be used to navigate to other directories.
Path Mapping: The mapped_path variable is used to map user-supplied file names to the actual file names on the server. In this case, we are simply using the absolute path of the file. This way, the user does not have direct access to the file system.
File Access: The FileResponse(open(mapped_path, 'rb')) line opens the file in binary mode for reading and returns it as a response. This is done under the permissions of the user running the application, which should be limited to prevent potential damage from a path traversal attack.

References

063.Lack of data validation - Path Traversal

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​