What is directory traversal
I first encountered the directory traversal bug in ThinkJS 2. The code below returns the address of a static resource when the user accesses a STATIC URL. Pathname is the path in the URL accessed by the user. We found that it was simply decoded in the code and then splices with the resource directory in line 22, which is a very obvious directory traversal vulnerability.
Why do you say that? Suppose the user accesses the URL http://xxx.com/.. /.. /.. /xxx.jpg will eventually return the file address to think.RESOURCE_PATH three levels up. Directory traversal, also known as Path traversal, takes advantage of a security flaw in a website to list a server Directory or file.
Directory traversal is also known in the English world as.. / Dot Dot slash attacks, Directory climbing and Backtracking. Some of its attack means can also be classified as Canonicalization attack. via: wikipedia
Hazards of directory traversal
The biggest hazard of directory traversal is that it allows any user to access sensitive files on the system, which in turn can bring down the entire server. For example, if you obtain the /etc/passwd file in Linux, you may decrypt the password of user root.
defense
You can see that in most cases the problem is… / directory jump, so the first priority of defense is filtering it. In addition to filtering, you can also judge the final file path to ensure that the first N characters after the complete directory of the request file are exactly the same as the document root directory. If they are the same, the content will be returned; otherwise, the attack address may not be returned.
Going back to the code problem at the beginning of this article, this is how it was finally fixed. Normalize the final file address to determine if the start contains the RESOURCE_PATH directory, and return null if it does not.
