[英]Security implications of displaying files from user-provided paths
Assume some intranet WebAPI endpoint like:假设一些内部网 WebAPI 端点,如:
public class AttachmentDto
{
public String Path { get; set; }
}
public class AttachmentsApiController : ApiController
{
public void Post(AttachmentDto attachment)
{
var attachmentsStorage = new AttachmentsStorage();
attachmentsStorage.Add(attachment.Path);
}
}
where AttachmentsStorage
in one or another way reads the file at attachment.Path
(one or another network share) and saves the contents at some more or less publicly available and known place.其中,
AttachmentsStorage
以一种或另一种方式读取attachment.Path
(一个或另一个网络共享)中的文件,并将内容保存在一些或多或少的公开可用和已知位置。
That is basically equivalent to simply这基本上等同于简单地
public String Post(AttachmentDto attachment)
{
return File.ReadAllText(attachment.Path);
}
That in my opinion evaluates to security vulnerability , even though the system is intranet, because any file on the server that is accessible to the used service account can be technically read.在我看来,即使系统是 Intranet,也被评估为安全漏洞,因为从技术上讲,可以读取所用服务帐户可访问的服务器上的任何文件。
Am I correct?我对么?
If it is so, then what can be done to mitigate this issue?如果是这样,那么可以做些什么来缓解这个问题?
I've considered:我考虑过:
Prohibit any addresses that are not network shares.禁止任何不是网络共享的地址。 Something like:
就像是:
private Boolean IsNetworkShareFile(String path) { var uri = new Uri(path); return uri.IsFile && uri.IsUnc && uri.IsAbsoluteUri; }
It seems to work, but it at best prevents only local file access(though some file share can actually point to local) and doesn't restrict access to private shares.它似乎有效,但充其量只能阻止本地文件访问(尽管某些文件共享实际上可以指向本地)并且不限制对私有共享的访问。
authentication mode="Windows"
, though it will require changing account settings in Active Directoryauthentication mode="Windows"
的最佳解决方案,尽管它需要更改 Active Directory 中的帐户设置 What you are describing is known as an Insecure Direct Object Reference and is in the OWASP top 10.您所描述的内容被称为不安全的直接对象引用,并且在 OWASP 前 10 名中。
You can guess the mitigations from the title.您可以从标题中猜测缓解措施。 You can either
你可以
(or both) (或两者)
The server should validate Path
, ideally against a white list .服务器应该验证
Path
,最好是针对白名单。
Paths can be a little tricky to validate because they can contain escape characters.路径的验证可能有点棘手,因为它们可以包含转义字符。 Be sure to use
Path.Combine
and MapPath
instead of performing any path computation yourself.请务必使用
Path.Combine
和MapPath
而不是自己执行任何路径计算。
Also, since this is a string that is being input into your system, always check for injection .此外,由于这是一个输入到系统中的字符串,因此请始终检查injection 。
Modify the API's interface so the client submits a PathID
instead of a Path
, and make PathID
discoverable via some other service call which lists only those specific files that the client has the right to access.修改 API 的接口,以便客户端提交
PathID
而不是Path
,并通过一些其他服务调用使PathID
发现,该调用仅列出客户端有权访问的那些特定文件。 If the system has per-user permissions (ie ACL ), then bind the PathID namespace to the user session, so that one user cannot guess another user's PathIDs.如果系统具有每用户权限(即ACL ),则将 PathID 命名空间绑定到用户会话,以便一个用户无法猜测另一个用户的 PathID。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.