Unsanitized dynamic input in file path traversal

Overview

• Rule ID: javascript_lang_path_traversal

• Applicable Languages: Javascript

• Weakness ID: CWE-22

Description

Using unsanitized dynamic input to determine file paths can enable attackers to access files and directories outside the intended scope. This vulnerability arises when user-provided input is directly used to interact with the filesystem without adequate validation or sanitization.

Remediation Guidelines

• Do not directly use user input to build file paths. This can result in unauthorized file access.

• Do sanitize user input used in file paths. Replace patterns that could allow navigation out of intended directories, such as ..\.., to prevent path traversal attacks.

  Copy

  var folder = target.replace(/^(\.\.(\/|\\|$))+/, '');
  

• Do check for and remove any occurrences of the NULL byte (%00) in user input to protect against NULL byte injection attacks.

  Copy

  if (target.indexOf('\0') !== -1) {
    // Handle or reject the input
  }
  

• Do use path concatenation methods provided by your programming environment to securely combine user input with your base directory path. This ensures the final path remains within the intended scope.

  Copy

  const path = require("path");
  var pathname = path.join("/public/", folder);
  if (pathname.indexOf("/public/") !== 0) {
    // Handle or reject the input
  }
  

References

• OWASP Path Traversal

• CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

• OWASP Top 10: A01:2021 - Broken Access Control

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL