How to prevent directory traversal attack from Python code

Asked 19/7, 2017 at 11:5 Answered 21/7, 2023 at 11:52

I need to prevent from directory traversal attack from my code using Python. My code is below:

if request.GET.get('param') is not None and request.GET.get('param') != '':
    param = request.GET.get('param')
    startdir = os.path.abspath(os.curdir)
    requested_path = os.path.relpath(param, startdir)
    requested_path = os.path.abspath(requested_path)
    print(requested_path)
    tfile = open(requested_path, 'rb')
    return HttpResponse(content=tfile, content_type="text/plain")

Here I need user is running like http://127.0.0.1:8000/createfile/?param=../../../../../../../../etc/passwd this it should prevent the directory traversal attack.

Contrail answered 19/7, 2017 at 11:5 Comment(3)

user should not be allowed to access or modify sudo directories. So check that path is not a sudo dir – Manila 19/7, 2017 at 11:9

I need to prevent also that. Can you make it like this ? – Contrail 19/7, 2017 at 11:11

not saying that its a good solution but there are around 20 root directories so check that path does not contain any one of them like if user requests a path containing bin directory then don't allow – Manila 19/7, 2017 at 11:15

Suppose the user content is all located in

safe_dir = '/home/saya/server/content/'

Ending with / is important as heinrichj mentions to ensure the check below matches against a specific directory.

You need to verify the final request is in there:

if os.path.commonprefix((os.path.realpath(requested_path),safe_dir)) != safe_dir: 
    #Bad user!

If the requested path is allowed to be the save_dir itself, you would also need to allow entry if os.path.realpath(requested_path)+'/' == safe_dir.

I encourage you to make sure all stuff you want accessible by the user in one place.

Scarlet answered 19/7, 2017 at 11:13 Comment(12)

You should consider adding os.path.realpath() to it in case there is a symlink in the safe path that points outside of it. – Satanic 19/7, 2017 at 11:16

@Contrail Correct. It's usually the best practice to make sure stuff readable by the world is in the same place. – Scarlet 19/7, 2017 at 11:17

Ok,Let me to implement it and let you know. – Contrail 19/7, 2017 at 11:19

Can I write safe_dir=os.path.abspath(os.curdir), If i need to give permission to my projrct folder only. – Contrail 19/7, 2017 at 11:20

@Contrail No, because you may be executing from somewhere else. If the python file is in the 'safe' directory use safe_dir=os.path.realpath(__FILE__) though I usually separate content from code. Also note you should use realpath, as zwer mentioned. – Scarlet 19/7, 2017 at 11:22

safe_dir is giving /opt/lampp/htdocs/Nuclear_reactor/d50/nuclear_correct/__FILE__ like this. Is this right ? – Contrail 19/7, 2017 at 11:28

@Contrail I had a typo - forgot to get the dir, and name of variable: safe_dir=os.path.dirname(os.path.realpath(__file__)) – Scarlet 19/7, 2017 at 11:28

Let us continue this discussion in chat. – Contrail 19/7, 2017 at 11:29

This doesn't seem watertight, because commonprefix just looks for the longest string prefix. If you allow access to /web, this will also allow traversal to /web2, for example. – Madore 17/10, 2019 at 9:50

And years afterwards, a security flaw is found. @Madore thanks! added a fix. – Scarlet 17/10, 2019 at 10:9

@Scarlet no problem. You might consider using startswith instead, which does look at full path components. – Madore 17/10, 2019 at 12:48

@Madore I am unfamiliar with that, except as a string function (which acts like commonprefix). I do not think it's from a standard library. I'll add it to the answer if you tell me where to find it. – Scarlet 17/10, 2019 at 18:0

you could try the methods of pathlib.Path

Path(root_dir).joinpath(param).resolve().relative_to(root_dir.resolve())

should return the relative path starting from the root_dir, or raise an ValueError if a directory traversal attack is tried

testing

param = 'test_file'
Path(root_dir).joinpath(param).relative_to(root_dir)

WindowsPath('test_file')

param = 'test_file/nested'
Path(root_dir).joinpath(param).relative_to(root_dir)

WindowsPath('test_file/nested')

param = 'non_existing/../../data'
Path(root_dir).joinpath(param).resolve().relative_to(root_dir.resolve())

---------------------------------------------------------------------------
ValueError                                Traceback (most recent call last)
<ipython-input-26-a74379fe1817> in <module>()
....
ValueError: 'C:\\python_scripts\\PyCharmProjects\\data' does not start with 'C:\\python_scripts\\PyCharmProjects\\testproject'

param = 'non_existing/../nested'
Path(root_dir).joinpath(param).resolve().relative_to(root_dir.resolve())

WindowsPath('nested')

Dyslexia answered 19/7, 2017 at 12:9 Comment(0)

-2

a check like below will also prevent traversal.

if '..' in pathParam:
    abort(ERRORCODE)

Wellgrounded answered 21/7, 2023 at 11:52 Comment(1)

This is easily circumventable, see owasp.org/www-community/attacks/Path_Traversal – Kentiga 15/8, 2023 at 14:13

testing

Recommended topics

Hot tags