Excessive privileges - Access Mode - C-Sharp

Excessive privileges - Access Mode - C-Sharp

Need

Restriction of access privileges to system files and directories

Context

  • Usage of C# 8.0 for modern and efficient software development
  • Usage of Microsoft.AspNetCore for building web applications in .NET Core
  • Usage of Microsoft.Extensions.FileProviders.Physical for accessing physical file resources in .NET applications
  • Usage of Microsoft.Extensions.Hosting for building and hosting .NET Core applications
  • Usage of Microsoft.Extensions.Logging for logging and tracing in .NET applications
  • Usage of Microsoft.Extensions.Options for managing application configuration options

Description

Non compliant code

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
        app.UseHsts();
    }

    app.UseHttpsRedirection();
    app.UseStaticFiles(new StaticFileOptions
    {
        FileProvider = new PhysicalFileProvider(
            Path.Combine(Directory.GetCurrentDirectory(), "wwwroot", "images")),
        RequestPath = "/images",
        OnPrepareResponse = ctx =>
        {
            // do not add cache headers
        }
    });
    app.UseRouting();

    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllerRoute(
            name: "default",
            pattern: "{controller=Home}/{action=Index}/{id?}");
    });
}
        
        

In this code snippet, the UseStaticFiles middleware is used to serve static files from the wwwroot/images directory. The PhysicalFileProvider is used to specify the file provider for the directory.

However, the PhysicalFileProvider is created with an overly permissive access mode
- it's given access to the entire wwwroot/images directory. This means that any user can access any file in that directory, which could potentially include sensitive files that should not be publicly accessible.

In addition, the OnPrepareResponse action does not add any cache headers to the response. This means that the browser will cache the static files, which could potentially lead to sensitive information being stored in the user's browser cache.

Overall, this code is vulnerable to unauthorized access and information disclosure due to the excessive privileges granted to the PhysicalFileProvider.

Steps

  • Review the access mode of system files and directories.
  • Ensure that the access mode is set to the minimum required permissions.
  • Avoid using overly permissive access modes.
  • Consider using access control mechanisms to restrict access to sensitive files and directories.
  • Regularly review and update the access mode of system files and directories to maintain security.

Compliant code

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
        app.UseHsts();
    }

    var path = Path.Combine(Directory.GetCurrentDirectory(), "wwwroot", "images");
    var physicalFileProvider = new PhysicalFileProvider(path);
    var fileInfo = physicalFileProvider.GetFileInfo(path);
    var filePermissions = fileInfo.CreateReadStream().CanWrite;

    if (filePermissions)
    {
        throw new Exception("The file permissions are too permissive. Please review the access mode of system files and directories.");
    }

    app.UseHttpsRedirection();
    app.UseStaticFiles(new StaticFileOptions
    {
        FileProvider = physicalFileProvider,
        RequestPath = "/images",
        OnPrepareResponse = ctx =>
        {
            // do not add cache headers
        }
    });
    app.UseRouting();

    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllerRoute(
            name: "default",
            pattern: "{controller=Home}/{action=Index}/{id?}");
    });
}
        
        

The code above is a modification of the original code to fix the vulnerability of excessive privileges. The vulnerability was that the system files or directories had an access mode that was too permissive.

The fix involves checking the permissions of the file before serving it. The PhysicalFileProvider is used to get the FileInfo of the file. The CanWrite property of the FileInfo object is then checked. If the file is writable, an exception is thrown, indicating that the file permissions are too permissive.

This fix ensures that the access mode is set to the minimum required permissions and avoids using overly permissive access modes. It is also recommended to use access control mechanisms to restrict access to sensitive files and directories and to regularly review and update the access mode of system files and directories to maintain security.

References