SEC-FILEOP-path-traversal
Synopsis
User input is used as a file path, or used to derive a file path.
Enabled by default
No
Severity/Certainty
High/Medium
Full description
User input is used either directly or in part to derive a file path. Unless this information is checked, an attacker could send a value that causes a file open to traverse out of the intended directory. As a result, files you wish to keep secure could be opened, modified, or deleted. An attacker could also create files in undesired locations. Values that come from user input should be checked, by string comparison or similar, before being used as a path to a file.
Coding standards
- CWE 22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE 23
Relative Path Traversal
- CWE 36
Absolute Path Traversal
Code examples
The following code example fails the check and will give a warning:
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
char path[100] = "/tmp/sandbox/";
strncat(path, argv[1], 50);
FILE *file = fopen(path, "r");
if (!file) return -1;
char c;
while((c = fgetc(file)) != EOF) {
printf("%c", c);
}
fclose (file);
return 0;
}
The following code example passes the check and will not give a warning about this issue:
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
char path[100] = "/tmp/sandbox/plain.txt";
FILE *file = fopen(path, "r");
if (!file) return -1;
char c;
while((c = fgetc(file)) != EOF) {
printf("%c", c);
}
fclose (file);
return 0;
}