CONTRAST: Path Traversal from "path" Parameter on "/getphoto" page #7
Description
Vulnerability ID: 8S5A-S1S4-IT6A-TXRG
Application Name: CargoCats-contrast-cargo-cats-imageservice
Vulnerability Link: https://eval.contrastsecurity.com/Contrast/static/ng/index.html#/545a3bce-97c5-4732-af38-1ac459087b0a/applications/aba4e03c-6290-4cf5-9783-333ac67e1a57/vulns/8S5A-S1S4-IT6A-TXRG
What Happened?
We tracked the following data from "path" Parameter:
GET /getphoto?path=cat.jpg
...which was accessed within the following code:
Program.<>c__DisplayClass0_0.<<Main>$>b__2(), line 99
...and ended up being used as part of the path in the following file being opened:
/app/uploads/cat.jpg
What's the risk?
The application takes data from the untrusted input and uses it to access the file system. Because there is untrusted data being used as part of the file path, it may be possible for an attacker to read sensitive data or write, update, or delete arbitrary files on the container's file system. The ability to write arbitrary files to the file system is also called Unrestricted or Arbitrary File Uploads.
Recommendation
The application opens up a file or file I/O stream based on untrusted input. Although it's not directly clear how that file is being used, this functionality could be an avenue for path traversal abuse.
Here's an example of a typical path traversal vulnerability:
// C#:
String statement = HttpContext.Request.Query("statement");
if (!statement.EndsWith(".xml")) { // Validate (weakly) this file is an xml file
logger.Error("Bad filename sent");
return;
}
// Read the specified file
String path = STATEMENT_DIR + statement;
FileStream fs = File.Open(path, FileMode.Open);
byte[] b = new byte[1024];
int len;
while ((len=fs.Read(b,0,b.Length)) > 0) {
Response.OutputStream.Write(b,0,len);
}
Often, there is no filename validation at all. Either way, an attacker could abuse this functionality to view protected configuration files by passing the following value for the statement parameter:
http://yoursite.com/app/pathTraversal?statement=../../../../../../web.xml
To prevent attacks like this, any of the following steps could help:
* Use maps to filter out invalid values. Instead of accepting input like file=string, accept file=int. That int can be a key in a Map that points to an allowed file. If the map has no corresponding value for the key given, then throw an error.
* Strongly validate the file value. Validate the file using an allowlist or regular expression.
Example path traversal validator:
namespace Contrast;
public static class SecurityUtils
{
// Validate 'statement' to prevent access to anything but XML files with no path
public static bool IsValidStatementPath(string statementPath)
{
Regex r = new Regex("^[A-Za-z0-9]+\\.xml$");
return r.IsMatch(statementPath);
}
}
Example usage of validator:
String statement = HttpContext.Request.Query("statement");
if (Contrast.SecurityUtils.IsValidStatementPath(statement))
{
// Read the file here as normal
}
else
{
// log error message
}
See https://docs.contrastsecurity.com/admin-policymgmt.html#security on how to add custom security controls to the Contrast policy. The validator above would be entered as: System.Boolean Contrast.SecurityUtils.IsValidStatementPath(System.String*)
Check out our AI-generated Intelligent Remediation Guidance! https://eval.contrastsecurity.com/Contrast/static/ng/index.html#/545a3bce-97c5-4732-af38-1ac459087b0a/vulns/8S5A-S1S4-IT6A-TXRG/overview/recommendation
First Event
Stack:
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
Microsoft.AspNetCore.Builder.UseExtensions.<>c__DisplayClass0_1.<Use>b__1()
Microsoft.AspNetCore.Hosting.HostingApplication.ProcessRequestAsync()
Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.<ProcessRequests>d__238`1[TContext].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.SetResult()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.SetResult()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.SetResult()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.SetResult()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.SetResult()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
Last Event
Stack:
Microsoft.Win32.SafeHandles.SafeFileHandle.Open()
System.IO.File.OpenHandle()
System.IO.File.ReadAllBytes()
Program.<>c__DisplayClass0_0.<<Main>$>b__2(Program.cs:99)
unknown.lambda_method698()
Microsoft.AspNetCore.Http.RequestDelegateFactory.<>c__DisplayClass81_0.<Create>b__1()
Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke()
Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.SetRoutingAndContinue()
Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke()
Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware.Invoke()
Microsoft.AspNetCore.Builder.UseExtensions.<>c__DisplayClass0_2.<Use>b__2()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start()
Microsoft.AspNetCore.Builder.UseExtensions.<>c__DisplayClass0_1.<Use>b__1()
Microsoft.AspNetCore.Hosting.HostingApplication.ProcessRequestAsync()
Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.<ProcessRequests>d__238`1[TContext].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.SetResult()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.SetResult()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder.SetResult()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].MoveNext()
System.Threading.Tasks.AwaitTaskContinuation.RunOrScheduleAction()
System.Threading.Tasks.Task.RunContinuations()
System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.AsyncStateMachineBox`1[TResult,TStateMachine].ExecutionContextCallback()
System.Threading.ExecutionContext.RunInternal()
HTTP Request
GET http://imageservice:80/getphoto?path=cat.jpg HTTP/1.1
ContrastTraceparent: 00-05bea24a985955bb36bbba9d88075d90-a00e7eb6332a91e3-01
Host: imageservice
User-Agent: Java/11.0.30
Connection: keep-alive
Accept: application/octet-stream, application/json, application/*+json, /
Session ID: 92f41261387cef1b0885ed1f8f6a0a20
artifactHash: 7582D8E22BD5E733