Path traversal gear
9 views
Skip to first unread message
Jeffrey Walton
Feb 5, 2025, 1:54:19 PMFeb 5
to ESAPI Project Users
Hi Everyone,
I'm looking for an ESAPI solution to a path traversal in a HttpServlet.
Grepping the sources for 'traversal' leads to one hit in
SafeFile.java,[0] but it looks like it is missing path traversal gear.
My question is, does ESAPI have something for path traversal? If so,
can someone point it out, please?
[0] https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/java/org/owasp/esapi/SafeFile.java
Jeff
I'm looking for an ESAPI solution to a path traversal in a HttpServlet.
Grepping the sources for 'traversal' leads to one hit in
SafeFile.java,[0] but it looks like it is missing path traversal gear.
My question is, does ESAPI have something for path traversal? If so,
can someone point it out, please?
[0] https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/java/org/owasp/esapi/SafeFile.java
Jeff
xeno...@gmail.com
Feb 5, 2025, 6:02:55 PMFeb 5
to ESAPI Project Users, nolo...@gmail.com
There is, but only in a highly limited use case. Specifically, if your app is taking a file path as an argument, the validator class does have a Validator.getValidDirectoryPath() method that should reject attempts at directory traversal.
But if you're looking for something to secure higher up, like preventing foo.com/../../../../../etc/passwd type attacks, that implementation is handled at the webserver itself, not the application where ESAPI is going to be running, and at the web stack layer, for example Spring that had this one last year: https://spring.io/security/cve-2024-38819
There isn't a generic defense against directory traversal in Java land, if THAT is what you're after. (Somebody feel free to prove me wrong...
Sent with Spark
--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/CAH8yC8mj%3DsCd0-9RFvRYz-CHPrpd1d1cOedZEJcUr3V5r4pOwQ%40mail.gmail.com.
xeno...@gmail.com
Feb 5, 2025, 6:17:11 PMFeb 5
to ESAPI Project Users, nolo...@gmail.com, xeno...@gmail.com
Let me qualify that abit: ESAPI is typically used in the context of an MVC framework like SpringMVC or perhaps Struts, which abstracts away everything except the exact point in time where your code takes over at a GET/POST request. So your typical threat surface is
1.) Webserver (Tomcat/NGINX)
2.) Application stack (SpringMVC/Struts)
3.) Your application itself.
ESAPI provides NO help with 1 & 2, and in the third case, only when you're dealing with files on a remote file system through your web application.
Sent with Spark
Kevin W. Wall
Feb 9, 2025, 5:04:44 PMFeb 9
to xeno...@gmail.com, ESAPI Project Users, nolo...@gmail.com
On Wed, Feb 5, 2025 at 6:17 PM <xeno...@gmail.com> wrote:
Let me qualify that abit: ESAPI is typically used in the context of an MVC framework like SpringMVC or perhaps Struts, which abstracts away everything except the exact point in time where your code takes over at a GET/POST request. So your typical threat surface is1.) Webserver (Tomcat/NGINX)2.) Application stack (SpringMVC/Struts)3.) Your application itself.ESAPI provides NO help with 1 & 2, and in the third case, only when you're dealing with files on a remote file system through your web application.
While ESAPI doesn't offer a lot of help for these, that is not to say that #1 or #2 are impossible to address.
In Nginx (or the corresponding Apache HTTPD web server), you'd pretty much have to write a web server extension to all ESAPI code, since AFAIK, neither of those can call Java code directly. However, you probably could use their SDK to write an extension and call Java through a reverse JNI. 20+ years ago, I worked on a project where we did something similar with Netscape IPlanet web server and NSAPI calling a static Java method via a reverse-JNI of sorts. It's an ugly kludge, but we made it work.
In the case of Tomcat, it likely would be less complicated. You probably could do it by implementing a Tomcat Valve, and possibly even a Java EE / Jakarta Servlet Filter, depending on what you're trying to do.
If you are trying to address #2, often there are ways to extend the web application framework (or "application stack", as Matt refers to it), but the details would be specific to the framework / version you are working with. Matt is right in that ESAPI offer a lot with these cases though.
That said, the Validator.getValidDirectory is probably your best bet. If there's something else that you wished that it would cover that it doesn't presently do, please consider writing up a new GitHub issue.
-kevin
--
Blog: https://off-the-wall-security.blogspot.com/ | GitHub: @kwwall | OWASP ESAPI Project co-lead | OWASP and ACM lifetime member
NSA: All your crypto bit are belong to us.
Reply all
Reply to author
Forward
0 new messages