Skip to content

External Control of File Name or Path (Veracode CWE ID 73) #747

New issue
New issue
Open
Open
External Control of File Name or Path (Veracode CWE ID 73)#747
Labels
Bug
@leviyakir

Description

@leviyakir
leviyakir
opened on Dec 9, 2021

We have used Veracode to scan Akavache library and it has come up with this issue:

Description

Allowing user input to control paths used in filesystem operations may enable an attacker to access or modify otherwise
protected system resources that would normally be inaccessible to end users. In some cases, the user-provided input may be
passed directly to the filesystem operation, or it may be concatenated to one or more fixed strings to construct a fully-qualified
path.
When an application improperly cleanses special character sequences in user-supplied filenames, a path traversal (or
directory traversal) vulnerability may occur. For example, an attacker could specify a filename such as "../../etc/passwd",
which resolves to a file outside of the intended directory that the attacker would not normally be authorized to view.

Recommendations

Assume all user-supplied input is malicious. Validate all user-supplied input to ensure that it conforms to the expected format,
using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a
sufficient number of iterations to remove all instances of disallowed characters and ensure that the end result is not
dangerous.

The specific reference is to:
https://github.com/reactiveui/Akavache/blob/main/src/Akavache.Sqlite3/SQLite.cs#L3464
https://github.com/reactiveui/Akavache/blob/main/src/Akavache.Sqlite3/SQLite.cs#L3469

Description

This call contains a path manipulation flaw. The argument to the function is a filename constructed using untrusted
input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to
files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level
of exposure depends on the effectiveness of input validation routines, if any.

Recommendations

Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines
when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to
remove all instances of disallowed characters.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions