Lack of data validation - Path Traversal - Go

Lack of data validation - Path Traversal - Go

Need

Implementation of proper input validation and sanitization to prevent path traversal attacks

Context

  • Usage of Go 1.16 for building high-performance and efficient applications
  • Usage of gin-gonic/gin for building web applications and APIs in Go
  • Usage of io/ioutil for reading and writing files in Node.js
  • Usage of net/http for creating HTTP servers in a Node.js application

Description

Non compliant code

        package main

import (
	"github.com/gin-gonic/gin"
	"io/ioutil"
	"net/http"
)

func main() {
	r := gin.Default()
	r.GET("/file/:filename", func(c *gin.Context) {
		filename := c.Param("filename")
		data, err := ioutil.ReadFile("./files/" + filename)
		if err != nil {
			c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
			return
		}
		c.JSON(http.StatusOK, gin.H{"file": string(data)})
	})
	r.Run()
}

In the above code, we have a simple Go application that uses the Gin web framework. The application has a single route /file/:filename that takes a filename as a parameter from the user and reads the file from the ./files/ directory.

The vulnerability lies in the fact that the application does not validate or sanitize the filename parameter before using it to construct the file path. This could lead to a Path Traversal attack where an attacker could manipulate the filename parameter to access files outside of the intended ./files/ directory.

For example, an attacker could send a request with a filename parameter of ../secret/passwords.txt and the application would attempt to read the file at ./files/../secret/passwords.txt, effectively accessing a file outside of the intended directory.

This lack of data validation could potentially allow an attacker to read any file that the application has access to, which could lead to the exposure of sensitive information.

Steps

  • Implement input validation to ensure that the filename parameter only contains allowed characters.
  • Use a whitelist approach to validate the filename parameter, allowing only alphanumeric characters and specific special characters if necessary.
  • Avoid using user-provided input directly in file paths. Instead, use a secure file access method that does not rely on user input to construct the path.
  • Consider using a file storage system that provides built-in protection against path traversal attacks.
  • If the application requires accessing files from the file system, ensure that the requested file is within a designated directory and not accessible outside of it.
  • Implement proper error handling to handle cases where the requested file does not exist or cannot be accessed.
  • Regularly update and patch the dependencies used in the application, including the Gin framework, to benefit from security fixes and improvements.
  • Perform security testing and code reviews to identify and address any other potential vulnerabilities in the application.

Compliant code

        package main

import (
	"github.com/gin-gonic/gin"
	"io/ioutil"
	"net/http"
	"path/filepath"
	"strings"
)

func main() {
	r := gin.Default()
	r.GET("/file/:filename", func(c *gin.Context) {
		filename := c.Param("filename")

		// Validate filename
		if !isValidFilename(filename) {
			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid filename"})
			return
		}

		// Secure file access
		data, err := ioutil.ReadFile(filepath.Join("./files", filename))
		if err != nil {
			c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
			return
		}
		c.JSON(http.StatusOK, gin.H{"file": string(data)})
	})
	r.Run()
}

// isValidFilename checks if a filename is valid, allowing only alphanumeric characters and specific special characters
func isValidFilename(filename string) bool {
	return strings.ContainsAny(filename, "/\\\\:*?\\"<>|") == false
}

The updated code includes a function isValidFilename that checks if the filename contains any of the special characters that could be used in a path traversal attack ( /, \\, :, *, ?, ", <, >, |). If any of these characters are found in the filename, the function returns false and the request is rejected with a 400 Bad Request response.

The ioutil.ReadFile function is replaced with filepath.Join to construct the file path. This function securely constructs the file path, ensuring that the filename does not escape the intended directory.

The filename validation and secure file access methods protect the application against path traversal attacks by ensuring that user-provided input cannot be used to access files outside of the designated directory.

In addition to these changes, it is recommended to implement proper error handling, regularly update and patch dependencies, and perform security testing and code reviews to further enhance the security of the application.

References