External Control of File Name or Path
Draft Base
Structure: Simple
Description
The product allows user input to control or influence paths or file names that are used in filesystem operations.
This could allow an attacker to access or modify system files or other files that are critical to the application. Path manipulation errors occur when the following two conditions are met: ``` 1. An attacker can specify a path used in an operation on the filesystem. 2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. ``` For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.
Common Consequences 3
Scope: IntegrityConfidentiality
Impact: Read Files or DirectoriesModify Files or Directories
The application can operate on unexpected files. Confidentiality is violated when the targeted filename is not directly readable by the attacker.
Scope: IntegrityConfidentialityAvailability
Impact: Modify Files or DirectoriesExecute Unauthorized Code or Commands
The application can operate on unexpected files. This may violate integrity if the filename is written to, or if the filename is for a program or other form of executable code.
Scope: Availability
Impact: DoS: Crash, Exit, or RestartDoS: Resource Consumption (Other)
The application can operate on unexpected files. Availability can be violated if the attacker specifies an unexpected file that the application modifies. Availability can also be affected if the attacker specifies a filename for a large file, or points to a special device or a file that does not have the format that the application expects.
Detection Methods 1
Automated Static Analysis
The external control or influence of filenames can often be detected using automated static analysis that models data flow within the product.
Automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.
Potential Mitigations 8
Phase: Architecture and Design
When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.
Phase: Architecture and DesignOperation
Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all access to files within a particular directory.
Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
Be careful to avoid Creation of chroot Jail Without Changing Working Directory and other weaknesses related to jails.
Phase: Architecture and Design
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid Client-Side Enforcement of Server-Side Security. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Phase: Implementation
Strategy: Input Validation
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as Relative Path Traversal, and exclude directory separators such as "/" to avoid Absolute Path Traversal. Use a list of allowable file extensions, which will help to avoid Unrestricted Upload of File with Dangerous Type.
Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (Incomplete List of Disallowed Inputs). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (Collapse of Data into Unsafe Value). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Effectiveness: High
Phase: Implementation
Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (Relative Path Traversal, Improper Link Resolution Before File Access ('Link Following')).
Phase: InstallationOperation
Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.
Phase: OperationImplementation
If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'), Variable Extraction Error, and similar issues.
Phase: Testing
Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
Demonstrative Examples 2
ID : DX-65
The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')).Code Example:
Bad
Java
javaID : DX-66
The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt.Code Example:
Bad
Java
javaObserved Examples 3
CVE-2022-45918Chain: a learning management tool debugger uses external input to locate previous session logs (External Control of File Name or Path) and does not properly validate the given path (Improper Input Validation), allowing for filesystem path traversal using "../" sequences (Path Traversal: '../filedir')
CVE-2008-5748Chain: external control of values for user's desired language and theme enables path traversal.
CVE-2008-5764Chain: external control of user's target language enables remote file inclusion.
References 2
Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, and Gary McGraw
NIST Workshop on Software Security Assurance Tools Techniques and Metrics • NIST
07-11-2005
ID: REF-6
OWASP Enterprise Security API (ESAPI) Project
OWASP
ID: REF-45
Likelihood of Exploit
High
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
- 13ASP.NET Misconfiguration: Password in Configuration File
- 64Windows Shortcut Following (.LNK)
- 72Improper Handling of Apple HFS+ Alternate Data Stream Path
- 76Improper Neutralization of Equivalent Special Elements
- 78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- 79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- 80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- 267Privilege Defined With Unsafe Actions
Related Weaknesses
ChildOf:
Improper Input Validation (CWE-20)
CanPrecede:
Improper Resolution of Path Equivalence (CWE-41)
Taxonomy Mapping
- 7 Pernicious Kingdoms
- Software Fault Patterns
Notes
MaintenanceProcess Control is a Class, but it is listed a child of External Control of File Name or Path in view 1000. This suggests some abstraction problems that should be resolved in future versions.
Relationship
The external control of filenames can be the primary link in chains with other file-related weaknesses, as seen in the CanPrecede relationships. This is because software systems use files for many different purposes: to execute programs, load code libraries, to store application data, to store configuration settings, record temporary data, act as signals or semaphores to other processes, etc.
However, those weaknesses do not always require external control. For example, link-following weaknesses (Improper Link Resolution Before File Access ('Link Following')) often involve pathnames that are not controllable by the attacker at all.
The external control can be resultant from other issues. For example, in PHP applications, the register_globals setting can allow an attacker to modify variables that the programmer thought were immutable, enabling file inclusion (Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')) and path traversal (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')). Operating with excessive privileges (Execution with Unnecessary Privileges) might allow an attacker to specify an input filename that is not directly readable by the attacker, but is accessible to the privileged program. A buffer overflow (Improper Restriction of Operations within the Bounds of a Memory Buffer) might give an attacker control over nearby memory locations that are related to pathnames, but were not directly modifiable by the attacker.