Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

External Control of File Name or Path (Veracode CWE ID 73) #747

Open
leviyakir opened this issue Dec 9, 2021 · 0 comments
Open

External Control of File Name or Path (Veracode CWE ID 73) #747

leviyakir opened this issue Dec 9, 2021 · 0 comments
Labels

Comments

@leviyakir
Copy link

leviyakir commented Dec 9, 2021

We have used Veracode to scan Akavache library and it has come up with this issue:

Description

Allowing user input to control paths used in filesystem operations may enable an attacker to access or modify otherwise
protected system resources that would normally be inaccessible to end users. In some cases, the user-provided input may be
passed directly to the filesystem operation, or it may be concatenated to one or more fixed strings to construct a fully-qualified
path.
When an application improperly cleanses special character sequences in user-supplied filenames, a path traversal (or
directory traversal) vulnerability may occur. For example, an attacker could specify a filename such as "../../etc/passwd",
which resolves to a file outside of the intended directory that the attacker would not normally be authorized to view.

Recommendations

Assume all user-supplied input is malicious. Validate all user-supplied input to ensure that it conforms to the expected format,
using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a
sufficient number of iterations to remove all instances of disallowed characters and ensure that the end result is not
dangerous.

The specific reference is to:
https://github.com/reactiveui/Akavache/blob/main/src/Akavache.Sqlite3/SQLite.cs#L3464
https://github.com/reactiveui/Akavache/blob/main/src/Akavache.Sqlite3/SQLite.cs#L3469

Description

This call contains a path manipulation flaw. The argument to the function is a filename constructed using untrusted
input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to
files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level
of exposure depends on the effectiveness of input validation routines, if any.

Recommendations

Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines
when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to
remove all instances of disallowed characters.

@leviyakir leviyakir added the Bug label Dec 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant