• CodeQL query help documentation »
• CodeQL query help for Java and Kotlin »

Partial path traversal vulnerability

ID: java/partial-path-traversal
Kind: problem
Security severity: 9.3
Severity: error
Precision: medium
Tags:
   - security
   - external/cwe/cwe-023
Query suites:
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

A common way to check that a user-supplied path SUBDIR falls inside a directory DIR is to use getCanonicalPath() to remove any path-traversal elements and then check that DIR is a prefix. However, if DIR is not slash-terminated, this can unexpectedly allow access to siblings of DIR.

See also java/partial-path-traversal-from-remote, which is similar to this query but only flags instances with evidence of remote exploitability.

Recommendation

If the user should only access items within a certain directory DIR, ensure that DIR is slash-terminated before checking that DIR is a prefix of the user-provided path, SUBDIR. Note, Java’s getCanonicalPath() returns a non-slash-terminated path string, so a slash must be added to DIR if that method is used.

Example

In this example, the if statement checks if parent.getCanonicalPath() is a prefix of dir.getCanonicalPath(). However, parent.getCanonicalPath() is not slash-terminated. This means that users that supply dir may be also allowed to access siblings of parent and not just children of parent, which is a security issue.

public class PartialPathTraversalBad {
    public void example(File dir, File parent) throws IOException {
        if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {
            throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());
        }
    }
}

In this example, the if statement checks if parent.toPath() is a prefix of dir.normalize(). Because Path#startsWith does the correct check that dir is a child of parent, users will not be able to access siblings of parent, as desired.

import java.io.File;

public class PartialPathTraversalGood {
    public void example(File dir, File parent) throws IOException {
        if (!dir.toPath().normalize().startsWith(parent.toPath())) {
            throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());
        }
    }
}

References

• OWASP: Partial Path Traversal.

• CVE-2022-23457: ESAPI Vulnerability Report.

• Common Weakness Enumeration: CWE-23.

• © GitHub, Inc.
• Terms
• Privacy