Prevent Filesystem Oracle Attacks

Why this matters

Applications that disclose file existence based on user input can be exploited to infer filesystem structure. Ensure user input is properly validated and sanitized.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

import java.io.File;

@Controller
public class ExampleController
{
    static private String targetDirectory = "/path/to/target/directory/";

    @GetMapping(value = "/exists")
    public void delete(@RequestParam("filetitle") String filetitle) throws IOException {

        File file = new File(targetDirectory + filetitle);
        if (!file.exists()) { // Noncompliant
            throw new IOException("File does not exists in the target directory");
        }
    }
}

Prefer

import java.io.File;

@Controller
public class ExampleController
{
    static private String targetDirectory = "/path/to/target/directory/";

    @GetMapping(value = "/exists")
    public void delete(@RequestParam("filetitle") String filetitle) throws IOException {

        File file = new File(targetDirectory + filetitle);
        String canonicalDestinationPath = file.getCanonicalPath();

        if (!canonicalDestinationPath.startsWith(targetDirectory)) {
            throw new IOException("Entry is outside of the target directory");
        } else if (!file.exists()) {
            throw new IOException("File does not exists in the target directory");
        }
    }
}

More snippets

Bad

import java.io.File;

@Controller
public class ExampleController
{
    static private String targetDirectory = "/path/to/target/directory/";

    @GetMapping(value = "/exists")
    public void delete(@RequestParam("filetitle") String filetitle) throws IOException {

        File file = new File(targetDirectory + filetitle);
        if (!file.exists()) { // Noncompliant
            throw new IOException("File does not exists in the target directory");
        }
    }
}

Good

import java.io.File;

@Controller
public class ExampleController
{
    static private String targetDirectory = "/path/to/target/directory/";

    @GetMapping(value = "/exists")
    public void delete(@RequestParam("filetitle") String filetitle) throws IOException {

        File file = new File(targetDirectory + filetitle);
        String canonicalDestinationPath = file.getCanonicalPath();

        if (!canonicalDestinationPath.startsWith(targetDirectory)) {
            throw new IOException("Entry is outside of the target directory");
        } else if (!file.exists()) {
            throw new IOException("File does not exists in the target directory");
        }
    }
}

Related rules

From the same buckets as this rule.

Critical

Always sanitize user inputs

Check if user inputs are sanitized before being used in rendering or database queries. Unsanitized inputs can lead to injection vulnerabilities like XSS or SQL injection.

security-hardening

Critical

Always Verify Server Certificates in SSL/TLS Connections

Ensure that SSL/TLS certificate validation is always enabled to prevent Man-in-the-Middle (MitM) attacks.

security-hardening

Critical

Avoid modifying built-in prototypes

Detect modifications to built-in prototypes. Modifying built-in objects can lead to compatibility issues and unexpected behavior. Recommend creating helper functions instead.

maintainabilitysecurity-hardening

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

import java.io.File;

@Controller
public class ExampleController
{
    static private String targetDirectory = "/path/to/target/directory/";

    @GetMapping(value = "/exists")
    public void delete(@RequestParam("filetitle") String filetitle) throws IOException {

        File file = new File(targetDirectory + filetitle);
        if (!file.exists()) { // Noncompliant
            throw new IOException("File does not exists in the target directory");
        }
    }
}

Prefer

import java.io.File;

@Controller
public class ExampleController
{
    static private String targetDirectory = "/path/to/target/directory/";

    @GetMapping(value = "/exists")
    public void delete(@RequestParam("filetitle") String filetitle) throws IOException {

        File file = new File(targetDirectory + filetitle);
        String canonicalDestinationPath = file.getCanonicalPath();

        if (!canonicalDestinationPath.startsWith(targetDirectory)) {
            throw new IOException("Entry is outside of the target directory");
        } else if (!file.exists()) {
            throw new IOException("File does not exists in the target directory");
        }
    }
}

More snippets

Bad

import java.io.File;

@Controller
public class ExampleController
{
    static private String targetDirectory = "/path/to/target/directory/";

    @GetMapping(value = "/exists")
    public void delete(@RequestParam("filetitle") String filetitle) throws IOException {

        File file = new File(targetDirectory + filetitle);
        if (!file.exists()) { // Noncompliant
            throw new IOException("File does not exists in the target directory");
        }
    }
}

Good

import java.io.File;

@Controller
public class ExampleController
{
    static private String targetDirectory = "/path/to/target/directory/";

    @GetMapping(value = "/exists")
    public void delete(@RequestParam("filetitle") String filetitle) throws IOException {

        File file = new File(targetDirectory + filetitle);
        String canonicalDestinationPath = file.getCanonicalPath();

        if (!canonicalDestinationPath.startsWith(targetDirectory)) {
            throw new IOException("Entry is outside of the target directory");
        } else if (!file.exists()) {
            throw new IOException("File does not exists in the target directory");
        }
    }
}

Related rules

From the same buckets as this rule.

Critical

Always sanitize user inputs

Check if user inputs are sanitized before being used in rendering or database queries. Unsanitized inputs can lead to injection vulnerabilities like XSS or SQL injection.

security-hardening

Critical

Always Verify Server Certificates in SSL/TLS Connections

Ensure that SSL/TLS certificate validation is always enabled to prevent Man-in-the-Middle (MitM) attacks.

security-hardening

Critical

Avoid modifying built-in prototypes

Detect modifications to built-in prototypes. Modifying built-in objects can lead to compatibility issues and unexpected behavior. Recommend creating helper functions instead.

maintainabilitysecurity-hardening