Resolve vulnerability: Improper limitation of a pathname to a restricted directory ('Path Traversal')
AI GENERATED MERGE REQUEST
The suggested code changes were generated by GitLab Duo Vulnerability resolution, an AI feature. Use this feature with caution. Before you apply the code changes, carefully review and test them, to ensure that they solve the vulnerability.
The large language model that generated the suggested code changes was provided with only the affected lines of code, and the vulnerability in that code. It is not aware of any functionality outside of this context.
Please see our documentation for more information about this feature.
Description:
The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access.
User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or using unique values and
use path.normalize to resolve and validate the path information
prior to processing any file functionality.
Example using path.normalize and not allowing direct user input:
// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';
// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
console.log("Invalid path specified!");
}
// Process / work with file
// ...For more information on path traversal issues see OWASP: https://owasp.org/www-community/attacks/Path_Traversal
- Severity: medium
- Confidence: unknown
- Location: bin/collect_translations.js:34
Identifiers:
- CWE-22
- eslint.detect-non-literal-fs-filename
- ESLint rule ID/detect-non-literal-fs-filename
- A5:2017 - Broken Access Control
- A01:2021 - Broken Access Control