Unsanitized dynamic input in file path

• Rule ID: javascript_lang_path_traversal
• Languages: javascript
• Source: path_traversal.yml

Description

Using unsanitized dynamic input to determine file paths can allow attackers to gain access to files and folders outside of the intended scope. This vulnerability occurs when input provided by users is directly used to access the filesystem without proper validation or sanitization.

Remediations

• Do not directly use user input to construct file paths. This can lead to unauthorized file access.
• Do sanitize user input used in file paths. Replace patterns that can navigate out of intended directories, such as ..\.., to prevent path traversal attacks.

  var folder = target.replace(/^(\.\.(\/|\\|$))+/, '');

• Do check for and remove any instances of the NULL byte ("%00") in user input to guard against poison NULL byte attacks.

  if (target.indexOf('\0') !== -1) {
    // Handle or reject the input
  }

• Do use path concatenation methods provided by your programming environment to securely combine user input with your base directory path. This ensures the final path starts within the intended scope.

  const path = require("path");
  var pathname = path.join("/public/", folder);
  if (pathname.indexOf("/public/") !== 0) {
    // Handle or reject the input
  }

References

• OWASP Path Traversal

Associated CWE

• CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_path_traversal

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_path_traversal