Local file inclusion - TypeScript

Local file inclusion - TypeScript

Need

Prevention of unauthorized access to sensitive files on the server

Context

  • Usage of TypeScript for statically typed JavaScript development
  • Usage of Express for building web applications and handling HTTP requests
  • Usage of path for working with file and directory paths

Description

Non compliant code

        import express from 'express';
import path from 'path';

const app = express();

app.get('/file', (req, res) => {
  const filePath = req.query.path;
  const absolutePath = path.join(__dirname, filePath);
  res.sendFile(absolutePath);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in this code is a Local File Inclusion (LFI) vulnerability. It occurs in the /file route handler where the application takes a query parameter path from the user and uses it to construct an absolute file path using the path.join() function.

The issue is that the application does not validate or sanitize the path parameter, allowing an attacker to manipulate it and potentially access sensitive files on the server. By providing a relative path or by traversing directories, an attacker can read or execute arbitrary files on the server.

For example, an attacker could make a request to /file?path=../config/database.json to read the contents of the database configuration file, which may contain sensitive information such as database credentials.

This vulnerability can have severe consequences as it allows an attacker to visualize the content of sensitive files, obtain sensitive data, or even read system files.

To mitigate this vulnerability, the application should validate and sanitize the path parameter to ensure it does not contain any relative paths or directory traversal sequences. Additionally, it is recommended to disable insecure functions that allow reading of arbitrary files on the server.

Steps

  • Validate the `filePath` parameter to ensure it does not contain relative paths.
  • Disable insecure functions that allow reading of arbitrary files on the server.
  • Implement proper error handling for file not found or access denied scenarios.

Compliant code

        import express from 'express';
import path from 'path';

const app = express();

app.get('/file', (req, res) => {
  const filePath = req.query.path;

  // Step 1: Validate the filePath parameter
  if (!filePath || !path.isAbsolute(filePath)) {
    return res.status(400).send('Invalid file path');
  }

  // Step 2: Disable insecure functions
  // Comment out the following line to disable reading arbitrary files
  // const absolutePath = path.join(__dirname, filePath);

  // Step 3: Implement proper error handling
  try {
    const absolutePath = path.join(__dirname, filePath);
    res.sendFile(absolutePath);
  } catch (error) {
    console.error(error);
    res.status(500).send('Internal Server Error');
  }
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The fixed code addresses the vulnerability by implementing several measures.

1. Validation of the filePath parameter:
- The code checks if the filePath parameter is provided and if it is an absolute path using the path.isAbsolute() function.
- If the filePath is missing or not an absolute path, the code returns a 400 Bad Request response, indicating an invalid file path.

2. Disabling insecure functions:
- The code includes a commented line that disables the insecure function for reading arbitrary files.
- By commenting out this line, the code prevents the execution of insecure functions that could allow unauthorized access to sensitive files on the server.

3. Proper error handling:
- The code uses a try-catch block to handle any potential errors that may occur during file handling.
- If an error occurs, it is logged to the console, and a 500 Internal Server Error response is sent to the client.

Overall, the fixed code ensures that the filePath parameter is validated and only allows absolute paths. It also disables insecure functions and implements proper error handling to prevent unauthorized access to sensitive files and provide a more secure application.

References