View Help Online

Start here

Home
About Klocwork
What's new
Fixed issues
Release notes
Installation

Reference

C/C++ checkers
Java checkers
C# checkers
MISRA C 2004 checkers
MISRA C++ 2008 checkers
MISRA C 2012 checkers
MISRA C 2012 checkers with Amendment 1
Commands
Metrics
Troubleshooting
Reference

Product components

C/C++ Integration build analysis
Java Integration build analysis
Desktop analysis
Refactoring
Klocwork Static Code Analysis
Klocwork Code Review
Structure101
Tuning
Custom checkers

Coding environments

Visual Studio
Eclipse for C/C++
Eclipse for Java
IntelliJ IDEA
Other

Administration

Project configuration
Build configuration
Administration
Analysis performance
Server performance
Security/permissions
Licensing
Klocwork Static Code Analysis Web API
Klocwork Code Review Web API

Community

View help online
Visit RogueWave.com
Klocwork Support
Rogue Wave Videos

Legal

Legal information

SV.TAINTED.PATH_TRAVERSAL

Unvalidated input in path construction

If a program uses external input to construct a pathname without special character neutralization, it can be left open to a path traversal attack. This checker reports defects when external strings that are used as parts of file paths are not checked properly.

Vulnerability and risk

A path traversal attack aims to get access to arbitrary files and directories including critical system or application data. A path traversal attack can also be used to provide malicious configuration for a program. It has been ranked as #13 in the Top 25 Most Dangerous Programming Errors.

Mitigation and prevention

To avoid this issue, it's best to add validation code before raw input is used as a pathname. The validation code must contain checks for the following cases:

  • dot-dot-slash (../): Using this sequence and its variations, an attacker could navigate your file system and obtain access to any file.
 Note that (../) can be presented in various encodings, for example, " ../../../etc/shadow" .
  • absolute paths: Using absolute paths in a situation when relative paths are expected could also provide access to arbitrary files in your system, for example, "/etc/shadow".
  • null symbol : Using the null symbol may allow an attacker to truncate a generated filename to widen the scope of attack in a situation when an application restricts possible file extensions by checking or appending specific extension, for example, "application.cfg%00.pdf".

Vulnerable code example

1  main.c
2  #include <stdio.h>
3  int main(int argc, char **argv) {
4    char *name = argv[1];
5    FILE *user_config = fopen(name, "r");
6    if (user_config == NULL) {
7      return 1;
8    }
9    fclose(user_config);
10    return 0;
11  }

Klocwork reports a defect in this example because the "name" string is received through the "argv" argument and is used as a pathname without being validated.

Fixed code example

1  check.h
2  char* neutralize(char *);
3  main.c
4  #include <stdio.h>
5  #include "check.h"
6  int main(int argc, char **argv) {
7     char *name = argv[1];
8     name = neutralize(name);
9     FILE *user_config = fopen(name, "r");
10    if (user_config == NULL) {
11       return 1;
12    }
13    fclose(user_config);
14    return 0;
15    }
16
17      check.kb
18      neutralize - TSCheckPT 1 : $1 : 1

Klocwork will not report a defect in this example because the external input is passed to the "neutralize" function and is validated, making the path safe.

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis and C/C++ knowledge base reference for more information.

Related checkers

External guidance

Parent topic: Unvalidated user input
Previous topic: SV.TAINTED.LOOP_BOUND
Next topic: SV.TAINTED.SECURITY_DECISION

© Rogue Wave Software, Inc. All rights reserved. | Contact