使用Path.Combine时的路径遍历警告 [英] Path traversal warning when using Path.Combine

问题描述

我目前正在使用NewtonJSON从JSON文件加载一些UI数据.但是，有一条警告说我有遍历路径.

I am currently using NewtonJSON to load some UI data from a JSON file. However, there is an warning says I have path traversal.

这里是情况:

是否有消除此安全漏洞的想法?

Any idea to remove this security vulnerability?

推荐答案

当将用户或其他不受信任来源提供的路径与父路径合并而不进行检查时，可能会进行路径遍历.问题在于，路径中存在路径遍历"组件，可以导航到父文件夹之外.

The path traversal exploit is possible when a path provided by a user or other untrusted source is combined, without checking, with a parent path. The problem is that there are "path traversal" components of paths that enable navigation out of the parent folder.

例如，如果要组合以下两条路径，则为绝对路径和相对路径:

For example, if you were to combine the following two paths, an absolute path and a relative one:

Base/absolute path: C:\WebData
Relative/user path: ..\windows\system32\

然后这将产生:

C:\windows\system32\

您可以想象，让某人读取或写入此目录(该目录不是预期的 WebData 目录)可能是一个巨大的问题，因为它可能导致某人学习有关您系统的信息或放置破坏系统的漏洞，将控制权交给恶意行为者.

As you can imagine, letting someone read or write this directory, which is not the intended WebData directory, could be a huge problem, as it could lead to someone learning information about your system or placing exploits that compromise the system, giving control of it to malicious actors.

您可以了解有关此漏洞的更多信息.

要正确处理此漏洞，您需要确保与父路径结合的相对路径是安全的.以下是确保这一点的一些方法:

To deal with this vulnerability properly, you need to ensure that the relative path combined with the parent path is safe. Here are some ways to ensure this:

• 相对路径来自已知的可信来源，例如经过审查的内部列表.
• 先前已经检查并保存/维护了相对路径，以确保可以将其与不受信任的路径区分开，并且在此期间用户或不受信任的代理程序不能对其进行修改.例如，将路径保留在字符串中是一个 bad 想法.相反，您可以执行类似创建 TrustedPath 类的操作，该类实际上只能通过运行检查路径安全的代码来获取的实例.
• 组合后检查生成的路径，以确保其在正确的位置.

• The relative path comes from a known trusted source, such as a vetted, internal list.
• The relative path has previously been checked and was stored/maintained in a way that ensures it can be distinguished from untrusted paths, and could not be modified by a user or untrusted agent in the meantime. For example, keeping the path in a string is a bad idea. Instead, you would do something like create a TrustedPath class that code could only gain an instance of by in fact running code that checked that the path is safe.
• The resulting path is checked after combination to ensure it is in the correct location.

您可以像这样做最后一项:

You could do the last item like so:

1. (为避免不必要的异常，这是一种很好的做法)，请使用 Path.GetInvalidFileNameChars()检查无效字符的(不可信)相对路径.
2. 按照您的说明执行 Path.Combine().
3. 确保生成的路径仍在原始父路径内.可以通过简单地确保结果路径以父路径开头来完成此操作，但是这样做可能会有问题.因此，请考虑这样的答案或其他确保结果路径为 truly 的后代的代码所需的文件夹.

1. (As good practice to avoid unnecessary exceptions), use Path. GetInvalidFileNameChars() to check the (untrusted) relative path for invalid characters.
2. Perform Path.Combine() as you have done.
3. Ensure the resulting path is still within the original, parent path. This can be done by simply ensuring the resulting path starts with the parent path, but there may be issues with that. So consider an answer like this or other code that ensures the resulting path is truly a descendant of the desired folder.

完成所有这些操作后，如果仍然显示路径遍历"警告，则可以使用代码质量/安全性检查工具中的菜单选项将此路径遍历实例注释为安全.您可能还想在注释中添加注释，以说明为什么将其标记为安全，这可以想象包括此SO问题或其答案之一的链接.

Once you have done all this, if the "path traversal" warning is still showing, you can use the menu options in your code quality/security checking tool to annotate this instance of path traversal as safe. You may also want to put a comment with notes explaining why you marked it as safe, which could conceivably include a link to this SO question or one of its answers.

注释1:请谨慎使用已被证实可以与特定绝对路径结合使用的相对路径.请考虑以下内容:

Note 1: Be careful about reusing a relative path that you have proven combines okay with a specific absolute path. Consider the following:

Base/absolute path: C:\WebData\FormElements\SuperForm\windows\
Relative/user path: ..\windows\

这两个路径可以安全地组合在一起，但是尚未证明相对路径始终可以与任何绝对路径一起使用.

These two paths would combine safely, however this has not proven that the relative path is always safe to use with any absolute path.

注意2:.请谨慎操作.假设相对路径遍历始终以 .. \ 开始是错误的.以下是有效的相对路径: folder \ .. \ .. \ wheeeWeGotOut .

Note 2: Be wary how you go about this. Assuming that relative path traversal always starts with ..\ is a mistake. The following is a valid relative path: folder\..\..\wheeeWeGotOut.

这篇关于使用Path.Combine时的路径遍历警告的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！