Only Filtering Special Elements at a Specified Location
Incomplete Base
Structure: Simple
Description
The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component.
A filter might only account for instances of special elements when they occur: - relative to a marker (e.g. "at the beginning/end of string; the second argument"), or - at an absolute position (e.g. "byte number 10"). This may leave special elements in the data that did not match the filter position, but still may be dangerous.
Common Consequences 1
Scope: Integrity
Impact: Unexpected State
Demonstrative Examples 2
ID : DX-3
The following code takes untrusted input and uses a regular expression to filter a "../" element located at the beginning of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.Code Example:
Bad
Perl
perlSince the regular expression is only looking for an instance of "../" at the beginning of the string, it only removes the first "../" element. So an input value such as:
Code Example:
Attack
bashwill have the first "../" stripped, resulting in:
Code Example:
Result
bashThis value is then concatenated with the /home/user/ directory:
Code Example:
Result
bashwhich causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')).
ID : DX-4
The following code takes untrusted input and uses a substring function to filter a 3-character "../" element located at the 0-index position of the input string. It then appends this result to the /home/user/ directory and attempts to read the file in the final resulting path.Code Example:
Bad
Perl
perlSince the if function is only looking for a substring of "../" between the 0 and 2 position, it only removes that specific "../" element. So an input value such as:
Code Example:
Attack
bashwill have the first "../" filtered, resulting in:
Code Example:
Result
bashThis value is then concatenated with the /home/user/ directory:
Code Example:
Result
bashwhich causes the /etc/passwd file to be retrieved once the operating system has resolved the ../ sequences in the pathname. This leads to relative path traversal (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')).
Modes of Introduction
Implementation
Related Weaknesses