Avoid building paths from untrusted data

문서 > Datadog 보안 > Code Security > Static Code Analysis (SAST) > SAST 규칙 > Avoid building paths from untrusted data

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: kotlin-security/avoid-path-traversal

Language: Kotlin

Severity: Error

Category: Security

CWE: 22

Description

This rule highlights the importance of avoiding the construction of file paths from untrusted data, such as user input. This is a critical security practice because malicious users can exploit such vulnerabilities to traverse directories (also known as path traversal attacks), gaining unauthorized access to files outside of the intended directory.

The rule helps prevent potential data breaches, unauthorized access to sensitive information, and system compromise. It enforces the principle of least privilege, ensuring that an application only accesses the resources it needs to function properly.

To adhere to this rule, always sanitize and validate user input before using it to construct file paths. For instance, use canonicalization to resolve any ‘..’ sequences in the path, and ensure the resulting path is within the intended directory. Avoid direct concatenation of user input into file paths. Instead, consider using a safer method, such as File(baseDir, fileName), which implicitly handles path normalization. You can also use an allowlist of allowed paths or a blocklist of disallowed paths to control access.

Non-Compliant Code Examples

// Non-compliant: Unsafe file path handling
class FileService {
    private val baseDir = "/app/files/"
    
    fun readUserFile(request: ApplicationCall) {
        // WARNING: Direct use of user input in file paths
        val userPath = request.parameters["path"]
        val file = File(userPath)  // Unsafe direct use of user input
        file.readText()
    }
}

Compliant Code Examples

class SecureFileService {
    private val baseDir = "/app/files/"
    
    suspend fun getFile(call: ApplicationCall) {
        val fileName = call.parameters["fileName"] ?: throw BadRequestException("Missing fileName")
        
        // Normalize and validate path
        val normalizedPath = File(fileName).normalize().toString()
        if (normalizedPath.contains("..")) {
            throw SecurityException("Path traversal attempted")
        }
        
        val safePath = baseDir + normalizedPath.replace("../", "")
        val absolutePath = File(safePath).canonicalPath
        
        // Verify file is within allowed directory
        if (!absolutePath.startsWith(File(baseDir).canonicalPath)) {
            throw SecurityException("Access denied to path outside base directory")
        }
        
        val file = File(absolutePath)
        if (file.exists()) {
            call.respondFile(file)
        } else {
            call.respond(HttpStatusCode.NotFound)
        }
    }
}

// Usage in a route
get("/download/{fileName}") {
    secureFileService.getFile(call)
}