Comments (9)
from owasp-java-encoder.
Hey Jim! Thanks for the quick response. I agree - encoded parameters are the best way to go, but in the case I'm thinking of, the untrusted input has to be part of the URL itself, not a parameter. I don't think URL encoding can be relied on since servers will just decode it and canonicalize the path. Here's a quick test:
public static void main(String [] args) throws Exception {
String bad = "okay.txt/../../../../key.txt";
URL badURL = new URL("http://127.0.0.1:8000/a/b/c/" + Encode.forUriComponent(bad));
System.out.println("Bad URL: " + badURL.toString());
HttpURLConnection con = (HttpURLConnection) badURL.openConnection();
con.setRequestMethod("GET");
int responseCode = con.getResponseCode();
System.out.println("GET Response Code :: " + responseCode);
if (responseCode == HttpURLConnection.HTTP_OK) { // success
BufferedReader in = new BufferedReader(new InputStreamReader(
con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
// print result
System.out.println(response.toString());
} else {
System.out.println("GET request not worked");
}
}
against a Python server, the file called "key.txt" in the root directory is accessed instead of files in /a/b/c
as intended:
Bad URL: http://127.0.0.1:8000/a/b/c/okay.txt%2F..%2F..%2F..%2F..%2Fkey.txt
GET Response Code :: 200
sensitive
Is there a different encoder that I should be using?
from owasp-java-encoder.
from owasp-java-encoder.
from owasp-java-encoder.
It seems to me--in cases where it's possible--that validation, rather than output encoding is the more appropriate defense here. That might not be feasible if the URL that you are creating a path for is not your site (i.e., that of the ORIGIN server), but even then you probably can decide to at least use a block-list and deny "..". If it's your site, then use cannonicalization and then check to see if it corresponds to a legitimate resource. And for JavaEE, put your configuration data like "key.txt" either outside of Document Root or if you want it bundled in your .war or .ear file, make sure it is under WEB-INF/ so the JavaEE container itself will prevent direct browsing attempts to those resources.
from owasp-java-encoder.
Thanks @jmanico - I don't have a .NET environment but I will check out the other resource.
The more I think about it, I'm inclined to agree with @kwwall - I'm just not sure if encoding will ever be enough in this case (without breaking things) - whatever custom encoding scheme you take you'd have to assume the server will be able to decode it, which would be impossible when you're constructing requests to a different site you don't control.
It's crazy how flexible URL paths can be. All of these curl requests are identical and retrieve key
from the root of my directory:
curl --path-as-is --url "http://localhost:8000/a/b/c/../../../key"
curl --path-as-is --url "http://localhost:8000/a/b/c/okay%2F..%2F..%2F..%2F..%2Fkey"
curl --path-as-is --url "http://localhost:8000/a/b/c/%6f%6b%61%79%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%6b%65%79"
As for sanitization, I think two good approaches are:
- just strip all
..
and/
from the string - construct a path from the input and only return the filename portion
I've implemented both as an example:
Bad Input: okay/../../../../key
Just filename: key
StripDotsAndSlashes: okaykey
Even with sanitization it's tricky since the user could supply input that is already URL encoded. In this case the sanitization function needs to properly URL Decode any input before stripping dots and slashes or extracting just a filename
Does it make sense to add any sanitization functions to this library for these cases?
from owasp-java-encoder.
Here's what I was thinking to "sanitize" the inputs. It depends whether you want to honor paths (slashes) or not:
public static String normalizePath(String path) {
path = URLDecoder.decode(path, Charset.defaultCharset());
// make it an absolute path then normalize
String normalized = Paths.get("/" + path).normalize().toString();
// return a leading slash if it came in with one, otherwise strip the leading slash
return path.charAt(0) == '/' ? normalized : normalized.substring(1);
}
public static String stripPath(String path) {
String decodedPath = URLDecoder.decode(path, Charset.defaultCharset());
return Paths.get(decodedPath).getFileName().toString();
}
from owasp-java-encoder.
from owasp-java-encoder.
I suggest a new project for specialized URL validation. Since we are just an encoding library I am closing this out.
from owasp-java-encoder.
Related Issues (20)
- Rename main branch HOT 1
- Support for input canonicalization HOT 6
- JavaScriptEncoder escapes "-" what makes dates escaped HOT 6
- Create an encodeForEmail() function HOT 4
- Possible to inject expression property resulting XSS attack in IE browser by using certain document modes HOT 2
- Please sign the jar HOT 12
- Documentation Frames Broken by Content-Security-Policy HOT 1
- Process for reporting possible security vulnerabilties
- Correct javadoc for Encode class HOT 1
- Javadoc link is broken HOT 4
- Alternative method for deprecated forUri() method HOT 1
- Jsp tags not working together with EL expressions HOT 3
- log4j 1.2.17 dependency HOT 6
- Compile error HOT 6
- Any plans for a version using Jakarta Servlet 5.0? HOT 4
- Automatic module name not included in manifest
- I couldn't sanitize the vector "<%<!--'%><script>alert(1);</script -->", using the methods available in "encoder-1.2.3.jar". HOT 3
- Combining OWASP Sanitizer and Encoder HOT 4
- Confusing example in Encode.forHtmlAttribute docs HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-java-encoder.