Update qhelp for js/path-injection. #14846
Conversation
|
QHelp previews: javascript/ql/src/Security/CWE-022/TaintedPath.qhelpUncontrolled data used in path expressionAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files. RecommendationValidate user input before using it to construct a file path. The choice of validation depends on whether you want to allow the user to specify complex paths with multiple components that may span multiple folders, or only simple filenames without a path component. In the former case, a common strategy is to make sure that the constructed file path is contained within a safe root folder. First, normalize the path using In the latter case, you can use a library like the Finally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns. ExampleIn the first example, a file name is read from an HTTP request and then used to access a file within a root folder. However, a malicious user could enter a file name containing "../" segments to navigate outside the root folder and access sensitive files. const fs = require('fs'),
http = require('http'),
url = require('url');
const ROOT = "/var/www/";
var server = http.createServer(function(req, res) {
let filePath = url.parse(req.url, true).query.path;
// BAD: This could read any file on the file system
res.write(fs.readFileSync(ROOT + filePath, 'utf8'));
});The second example shows how to fix this. First, the file name is resolved relative to a root folder, which has the side effect of normalizing the path and removing any "../" segments. Then, const fs = require('fs'),
http = require('http'),
path = require('path'),
url = require('url');
const ROOT = "/var/www/";
var server = http.createServer(function(req, res) {
let filePath = url.parse(req.url, true).query.path;
// GOOD: Verify that the file path is under the root directory
filePath = fs.realpathSync(path.resolve(ROOT, filePath));
if (!filePath.startsWith(ROOT)) {
res.statusCode = 403;
res.end();
return;
}
res.write(fs.readFileSync(filePath, 'utf8'));
});References
|
85e4ac8
to
d147fab
Compare
There was a problem hiding this comment.
👋🏼 @max-schaefer, thanks for making these changes! I've left a few comments below, but they're all pretty small tweaks. Let me know if any of my suggestions don't make sense 🙂
| Then check that the normalized path starts with the root folder. | ||
| Note that the normalization step is important, since otherwise even a path that starts with the root folder could be used to access files outside the root folder. |
There was a problem hiding this comment.
| Then check that the normalized path starts with the root folder. | |
| Note that the normalization step is important, since otherwise even a path that starts with the root folder could be used to access files outside the root folder. | |
| You should always normalize the file path since an unnormalized path that starts with the root folder can still be used to access files outside the root folder. | |
| Then, after you have normalized the path, check that the path starts with the root folder. |
Some small suggestions here to group the normalization step with the explanation of its importance, and to maintain context for ease of localization.
| </p> | ||
|
|
||
| <p> | ||
| Ideally, follow these rules: | ||
| The choice of validation depends on whether you want to allow the user to specify complex paths with multiple components that may span multiple folders, or only simple filenames without a path component. |
There was a problem hiding this comment.
| The choice of validation depends on whether you want to allow the user to specify complex paths with multiple components that may span multiple folders, or only simple filenames without a path component. | |
| The validation method you should use depends on whether you want to allow the user to specify complex paths with multiple components that may span multiple folders, or only simple filenames without a path component. |
Small nit for clarity
| In the first example, a file name is read from an HTTP request and then used to access a file. | ||
| However, a malicious user could enter a file name which is an absolute path, such as | ||
| <code>"/etc/passwd"</code>. | ||
| In the first example, a file name is read from an HTTP request and then used to access a file within a root folder. |
There was a problem hiding this comment.
| In the first example, a file name is read from an HTTP request and then used to access a file within a root folder. | |
| In the first (bad) example, the code reads the file name from an HTTP request, then accesses that file within a root folder. |
Small edit to remove passive voice and be extra clear that this example is bad 😁
| However, a malicious user could enter a file name which is an absolute path, such as | ||
| <code>"/etc/passwd"</code>. | ||
| In the first example, a file name is read from an HTTP request and then used to access a file within a root folder. | ||
| However, a malicious user could enter a file name containing "../" segments to navigate outside the root folder and access sensitive files. |
There was a problem hiding this comment.
| However, a malicious user could enter a file name containing "../" segments to navigate outside the root folder and access sensitive files. | |
| A malicious user could enter a file name containing "../" segments to navigate outside the root folder and access sensitive files. |
Small tweak to align with the edits to the previous sentence
| reading the file located at <code>"/home/user/../../etc/passwd"</code>, which is the system's | ||
| password file. This file would then be sent back to the user, giving them access to all the | ||
| system's passwords. | ||
| The second example shows how to fix this. |
There was a problem hiding this comment.
| The second example shows how to fix this. | |
| The second (good) example shows how to avoid access to sensitive files by sanitizing the file path. |
Another tiny change to be extra clear and add context for localization
| First, the file name is resolved relative to a root folder, which has the side effect of normalizing the path and removing any "../" segments. | ||
| Then, <code>fs.realpathSync</code> is used to resolve any symbolic links in the path. | ||
| Finally, we check that the normalized path starts with the root folder's path, which ensures that the file is contained within the root folder. |
There was a problem hiding this comment.
| First, the file name is resolved relative to a root folder, which has the side effect of normalizing the path and removing any "../" segments. | |
| Then, <code>fs.realpathSync</code> is used to resolve any symbolic links in the path. | |
| Finally, we check that the normalized path starts with the root folder's path, which ensures that the file is contained within the root folder. | |
| First, the code resolves the file name relative to a root folder, normalizing the path and removing any "../" segments in the process. | |
| Then, the code calls <code>fs.realpathSync</code> to resolve any symbolic links in the path. | |
| Finally, the code checks that the normalized path starts with the path of the root folder, ensuring the file is contained within the root folder. |
A few small edits here to remove passive voice
| var server = http.createServer(function(req, res) { | ||
| let filePath = url.parse(req.url, true).query.path; | ||
|
|
||
| // BAD: This could read any file on the file system |
There was a problem hiding this comment.
| // BAD: This could read any file on the file system | |
| // BAD: This function uses unsanitized input that can read any file on the file system. |
Small suggestion for extra context/ease of localization
Analogous to #14793.