Security violation --External Control of File Name or Path possible

Question

Am having a image Gallery and am rendering the image in following ways

<a href="/Gallery/GetImage?Name=sample.jpg>Imagename</a> //user clicks hyperlink to download file

<img src=""/Gallery/GetImage?Name=sample.jpg"> //Displaying the image

and my GetImage() function is below where i will get the image and return it.

    public ActionResult GetImage(string Name)
    {
        ..
        ...
        return File(FilePath, Type, Name); //Filepath - server folder where image located
                                            //Name is File name
    }

Is this a security Violation. The Error is shown at the Line where am returning the File.

Is there a better way i can handle this ?

How can i avoid this violation ?

Any suggestions are much appreciated

Thanks

Answer 1

This question is pretty old but since karma is suppose to go around, I would like to show you how I solved this problem.

I tend to take advantage of the ESAPI api. The veracode scanner seems to look for assignments to "sanitized" values that are deemed safe. Check the ESAPI library here https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0CCcQFjABahUKEwiCv-PvuIXGAhWNL4gKHYUBDmA&url=http%3A%2F%2Fcode.google.com%2Fp%2Fowasp-esapi-java%2Fdownloads%2Flist&ei=FFh4VYLlBo3foASFg7iABg&usg=AFQjCNGT7pjqMzlKl2yM1K_uM7GFwwYiDA&sig2=rK3zE8o2znde3bf66Q8Q_w . While there are utility methods, I always find myself falling back on the getValidInput method because it is low level enough to sanitize and flexible enough to plugin to existing funcitonality.

Here's what that would look like:

public ActionResult GetImage(string Name) Throws 
{
    ..
    ...
    string sanitizedInput = ESAPI.validator().getValidInput("FileName", Name, "FileName", true);
    return File(FilePath, Type, sanitizedInput ); 

}

You can check the doc for the complete specification of the API.

This pattern seems to work well with most of the problems I've come across not only for CWE-73 but others as well.

Answer 2

Independent from the "security violation" passing file name trough query strings isn't a good practice. It might allow to file inclusion attacks allowing attackers to view source code of your application or disclose internal information such as 'etc/passwd' file in a Linux environment.

Even if you hardcode the filepath and type, this are protections that might be bypassed.

For more information on "External Control of File Name or Path possible" check out: http://cwe.mitre.org/data/definitions/73.html

Description Summary The software allows user input to control or influence paths or file names that are used in filesystem operations.

Extended Description This could allow an attacker to access or modify system files or other files that are critical to the application. Path manipulation errors occur when the following two conditions are met: 1. An attacker can specify a path used in an operation on the filesystem. 2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.

Regarding your security violation, in what specific context is that error being trowed?