Files and Resources V12 - Sanity Check Comments/Suggestions for v.5.0

[csfreak92]

Chapter V12 - Files and Resources

Here are a few things I observed reviewing this chapter for v.5.0 for sanity check related to #2582:

Question 1: In requirement, 12.3.1 [MODIFIED, MERGED FROM 12.3.2, 12.3.3, 5.3.9] Verify that file operations avoid using user-submitted filenames or file metadata when creating file paths to protect against path traversal, local or remote file inclusion (LFI, RFI), and server-side request forgery (SSRF) attacks. Instead, use internal, trusted data for file I/O. If user-submitted filenames or file metadata must be used, strict validation and sanitization must be applied.,

What do we mean by "use internal, trusted data for file I/O."? Is this referring to the data inside the file, thus not pertaining to metadata? Or internal, trusted data in the application that means it will just ignore anything coming from the files, but what about file name and others? I guess maybe it wasn't clear as to what it was referring to and it might be confusing the way I read it.

[elarlang]

#1427

[jmanico]

What do we mean by "use internal, trusted data for file I/O."? Is this referring to the data inside the file, thus not pertaining to metadata?

This is like a static variable, a database ID, or another file reference that is not driven by user input. If you use a user-driven filename to save and load an uploaded file, you must be careful that it does not contain path traversal or similar file path attacks before using it in file I/O operations on your server.

[jmanico]

Hey @csfreak92 are you happy with the answer and conversation Elar linked to? If so can we close this out?