[Esapi-dev] DefaultValidator and validating canonical paths (and input)

Jim Manico jim.manico at owasp.org
Thu Dec 9 14:53:16 EST 2010 

David,

I think the code as it stands is correct.

The point of  this function is to REJECT paths like...

../conf/

The goal it so stop path manipulation attacks, something Java in general is
very vulnerable to.

We are essentially saying that, if the raw input path is not the same as the
canonical form of that path, then fully reject it.

This is very important when user input drives FileIO (which is itself
incredibly dangerous and can be designed around).

Does this make sense?

 - Jim

-----Original Message-----
From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Peterson David
Sent: Thursday, December 09, 2010 7:43 AM
To: esapi-dev at lists.owasp.org
Subject: [Esapi-dev] DefaultValidator and validating canonical paths (and
input)

in esapi-2.0_rc10, in DefaultValidator.getValidDirectoryPath(), towards 
the bottom of the method it checks that the canonical form matches the 
input.  to do this, it gets the canonical path of the File created using 
the input string.  that canonical path is then validated (and encoded, 
among other things).

then it checks to see if the validated/encoded canonical path is the 
same string as the input string.  this seems odd to me because the input 
path may be something like "../conf/" (and the canonical path obviously 
will not).

perhaps getValidDirectoryPath() expects a full directory path for it's 
input argument? but that doesn't make much sense (and isn't indicated in 
the docs).

i think there is a bug in the code, line 398 in DefaultValidator should 
read:
     if (!canonical.equals(canonicalPath))
instead of:
     if (!canonical.equals(input))

that seems to make sense of those three lines of code.  is this a 
candidate for the next release, possibly?

thanks
-- 

*DAVE PETERSON*
Senior Software Engineer, *Axway*
Phoenix, Arizona 85054
<mailto:dpeterson at us.axway.com>
_______________________________________________
Esapi-dev mailing list
Esapi-dev at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-dev

More information about the Esapi-dev mailing list