Path Traversal in File Upload
Description
The filename provided by the FileUpload API can be tampered with by the client to reference unauthorized files. The provided filename should be properly validated to ensure it's properly structured, contains no unauthorized path characters (e.g., / ), and refers to an authorized file.
Examples
Insecure Code
scala
val files = (new ServletFileUpload()).parseRequest(request)
for (file <- files.asScala) {
val filename = file.getName()
// use filename without validation
}Secure Code
scala
val files = (new ServletFileUpload()).parseRequest(request)
for (file <- files.asScala) {
val filename = file.getName()
if (filename.matches("^[a-zA-Z0-9_]+\.txt$")) {
// use filename after validation
} else {
// handle invalid filename
}
}Remediation
Validate the filename to prevent path traversal attacks. Use a whitelist approach to only allow authorized file extensions and paths.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0036 |
| Category | AccessControl |
| Severity | HIGH |
| CWE | CWE-22 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | Path Traversal, File Upload |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |