[Esapi-dev] DefaultValidator and validating canonical paths (and input)
jim.manico at owasp.org
Thu Dec 9 14:53:16 EST 2010
I think the code as it stands is correct.
The point of this function is to REJECT paths like...
The goal it so stop path manipulation attacks, something Java in general is
very vulnerable to.
We are essentially saying that, if the raw input path is not the same as the
canonical form of that path, then fully reject it.
This is very important when user input drives FileIO (which is itself
incredibly dangerous and can be designed around).
Does this make sense?
From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Peterson David
Sent: Thursday, December 09, 2010 7:43 AM
To: esapi-dev at lists.owasp.org
Subject: [Esapi-dev] DefaultValidator and validating canonical paths (and
in esapi-2.0_rc10, in DefaultValidator.getValidDirectoryPath(), towards
the bottom of the method it checks that the canonical form matches the
input. to do this, it gets the canonical path of the File created using
the input string. that canonical path is then validated (and encoded,
among other things).
then it checks to see if the validated/encoded canonical path is the
same string as the input string. this seems odd to me because the input
path may be something like "../conf/" (and the canonical path obviously
perhaps getValidDirectoryPath() expects a full directory path for it's
input argument? but that doesn't make much sense (and isn't indicated in
i think there is a bug in the code, line 398 in DefaultValidator should
that seems to make sense of those three lines of code. is this a
candidate for the next release, possibly?
Senior Software Engineer, *Axway*
Phoenix, Arizona 85054
<mailto:dpeterson at us.axway.com>
Esapi-dev mailing list
Esapi-dev at lists.owasp.org
More information about the Esapi-dev