mirror of
https://github.com/github/codeql.git
synced 2026-06-18 19:31:11 +02:00
Fix documentation
This commit is contained in:
Shyam Mehta
@@ -3,51 +3,10 @@
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<overview>
|
||||
<p>A common way to check that a user-supplied path <code>SUBDIR</code> falls inside a directory <code>DIR</code>
|
||||
is to use <code>getCanonicalPath()</code> to remove any path-traversal elements and then check that <code>DIR</code>
|
||||
is a prefix. However, if <code>DIR</code> is not slash-terminated, this can unexpectedly allow accessing siblings of <code>DIR</code>.</p>
|
||||
<include src="PartialPathTraversalOverview.inc.qhelp">
|
||||
<p>See also <code>java/partial-path-traversal-from-remote</code>, which is similar to this query but only flags instances with evidence of remote exploitability</p>
|
||||
</overview>
|
||||
<recommendation>
|
||||
|
||||
<p>If the user should only access items within a certain directory <code>DIR</code>, ensure that <code>DIR</code> is slash-terminated
|
||||
before checking that <code>DIR</code> is a prefix of the user-provided path, <code>SUBDIR</code>. Note, Java's <code>getCanonicalPath()</code>
|
||||
returns a <b>non</b>-slash-terminated path string, so a slash must be added to <code>DIR</code> if that method is used.</p>
|
||||
<include src="PartialPathTraversalRemainder.inc.qhelp">
|
||||
|
||||
</recommendation>
|
||||
<example>
|
||||
|
||||
<p>
|
||||
|
||||
|
||||
In this example, the <code>if</code> statement checks if <code>parent.getCanonicalPath()</code>
|
||||
is a prefix of <code>dir.getCanonicalPath()</code>. However, <code>parent.getCanonicalPath()</code> is
|
||||
not slash-terminated. So, the user that supplies <code>dir</code> may be allowed to access siblings of <code>parent</code>
|
||||
and not just children of <code>parent</code>, which is a security issue.
|
||||
|
||||
</p>
|
||||
|
||||
<sample src="PartialPathTraversalBad.java" />
|
||||
|
||||
<p>
|
||||
|
||||
In this example, the <code>if</code> statement checks if <code>parent.getCanonicalPath() + File.separator </code>
|
||||
is a prefix of <code>dir.getCanonicalPath()</code>. Because <code>parent.getCanonicalPath().toPath()</code> is
|
||||
indeed slash-terminated, the user supplying <code>dir</code> can only access children of
|
||||
<code>parent</code>, as desired.
|
||||
|
||||
</p>
|
||||
|
||||
<sample src="PartialPathTraversalGood.java" />
|
||||
|
||||
</example>
|
||||
<references>
|
||||
|
||||
<li>
|
||||
OWASP:
|
||||
<a href="https://owasp.org/www-community/attacks/Path_Traversal">Partial Path Traversal</a>.
|
||||
CVE-2022-23457:
|
||||
<a href="https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md"> ESAPI Vulnerability Report</a>
|
||||
</li>
|
||||
|
||||
</references>
|
||||
</qhelp>
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<overview>
|
||||
<include src="PartialPathTraversalOverview.inc.qhelp">
|
||||
</overview>
|
||||
|
||||
<include src="PartialPathTraversalRemainder.inc.qhelp">
|
||||
|
||||
</qhelp>
|
||||
@@ -0,0 +1,10 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
|
||||
<p>A common way to check that a user-supplied path <code>SUBDIR</code> falls inside a directory <code>DIR</code>
|
||||
is to use <code>getCanonicalPath()</code> to remove any path-traversal elements and then check that <code>DIR</code>
|
||||
is a prefix. However, if <code>DIR</code> is not slash-terminated, this can unexpectedly allow accessing siblings of <code>DIR</code>.</p>
|
||||
|
||||
</qhelp>
|
||||
@@ -0,0 +1,51 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
|
||||
<recommendation>
|
||||
|
||||
<p>If the user should only access items within a certain directory <code>DIR</code>, ensure that <code>DIR</code> is slash-terminated
|
||||
before checking that <code>DIR</code> is a prefix of the user-provided path, <code>SUBDIR</code>. Note, Java's <code>getCanonicalPath()</code>
|
||||
returns a <b>non</b>-slash-terminated path string, so a slash must be added to <code>DIR</code> if that method is used.</p>
|
||||
|
||||
</recommendation>
|
||||
<example>
|
||||
|
||||
<p>
|
||||
|
||||
|
||||
In this example, the <code>if</code> statement checks if <code>parent.getCanonicalPath()</code>
|
||||
is a prefix of <code>dir.getCanonicalPath()</code>. However, <code>parent.getCanonicalPath()</code> is
|
||||
not slash-terminated. So, the user that supplies <code>dir</code> may be allowed to access siblings of <code>parent</code>
|
||||
and not just children of <code>parent</code>, which is a security issue.
|
||||
|
||||
</p>
|
||||
|
||||
<sample src="PartialPathTraversalBad.java" />
|
||||
|
||||
<p>
|
||||
|
||||
In this example, the <code>if</code> statement checks if <code>parent.getCanonicalPath() + File.separator </code>
|
||||
is a prefix of <code>dir.getCanonicalPath()</code>. Because <code>parent.getCanonicalPath().toPath()</code> is
|
||||
indeed slash-terminated, the user supplying <code>dir</code> can only access children of
|
||||
<code>parent</code>, as desired.
|
||||
|
||||
</p>
|
||||
|
||||
<sample src="PartialPathTraversalGood.java" />
|
||||
|
||||
</example>
|
||||
<references>
|
||||
|
||||
<li>
|
||||
OWASP:
|
||||
<a href="https://owasp.org/www-community/attacks/Path_Traversal">Partial Path Traversal</a>.
|
||||
CVE-2022-23457:
|
||||
<a href="https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/GHSL-2022-008_The_OWASP_Enterprise_Security_API.md"> ESAPI Vulnerability Report</a>
|
||||
</li>
|
||||
|
||||
</references>
|
||||
|
||||
|
||||
</qhelp>
|
||||
Reference in New Issue
Block a user