从用户提供的路径显示文件的安全隐患
[英]Security implications of displaying files from user-provided paths
问题描述
Assume some intranet WebAPI endpoint like:
假设一些内部网 WebAPI 端点,如:
public class AttachmentDto
{
public String Path { get; set; }
}
public class AttachmentsApiController : ApiController
{
public void Post(AttachmentDto attachment)
{
var attachmentsStorage = new AttachmentsStorage();
attachmentsStorage.Add(attachment.Path);
}
}
where AttachmentsStorage in one or another way reads the file at attachment.Path (one or another network share) and saves the contents at some more or less publicly available and known place.其中, AttachmentsStorage以一种或另一种方式读取attachment.Path (一个或另一个网络共享)中的文件,并将内容保存在一些或多或少的公开可用和已知位置。
That is basically equivalent to simply这基本上等同于简单地
public String Post(AttachmentDto attachment)
{
return File.ReadAllText(attachment.Path);
}
That in my opinion evaluates to security vulnerability , even though the system is intranet, because any file on the server that is accessible to the used service account can be technically read.在我看来,即使系统是 Intranet,也被评估为安全漏洞,因为从技术上讲,可以读取所用服务帐户可访问的服务器上的任何文件。
Am I correct?我对么?
If it is so, then what can be done to mitigate this issue?如果是这样,那么可以做些什么来缓解这个问题?
I've considered:我考虑过:
- Pass the file contents - possible, though not desired for this particular system because of the assumed design and possible size of the files.传递文件内容 - 可能,但由于假定的设计和文件的可能大小,这个特定系统并不需要。
Prohibit any addresses that are not network shares.
禁止任何不是网络共享的地址。 Something like:就像是:private Boolean IsNetworkShareFile(String path) { var uri = new Uri(path); return uri.IsFile && uri.IsUnc && uri.IsAbsoluteUri; }
It seems to work, but it at best prevents only local file access(though some file share can actually point to local) and doesn't restrict access to private shares.它似乎有效,但充其量只能阻止本地文件访问(尽管某些文件共享实际上可以指向本地)并且不限制对私有共享的访问。
- Try impersonation/delegation - probably the best solution with
authentication mode="Windows", though it will require changing account settings in Active Directory尝试模拟/委托- 可能是authentication mode="Windows"的最佳解决方案,尽管它需要更改 Active Directory 中的帐户设置
1 个解决方案
解决方案1
1 已采纳 2017-01-16 19:01:49
This is an A4这是A4
What you are describing is known as an Insecure Direct Object Reference and is in the OWASP top 10.您所描述的内容被称为不安全的直接对象引用,并且在 OWASP 前 10 名中。
You can guess the mitigations from the title.您可以从标题中猜测缓解措施。 You can either你可以
- Secure the references, or保护参考文献,或
- Use indirect object references instead改用间接对象引用
(or both) (或两者)
Secure the reference保护参考
The server should validate Path , ideally against a white list .服务器应该验证Path ,最好是针对白名单。
Paths can be a little tricky to validate because they can contain escape characters.路径的验证可能有点棘手,因为它们可以包含转义字符。 Be sure to use Path.Combine and MapPath instead of performing any path computation yourself.请务必使用Path.Combine和MapPath而不是自己执行任何路径计算。
Also, since this is a string that is being input into your system, always check for injection .此外,由于这是一个输入到系统中的字符串,因此请始终检查injection 。
Use an indirect object reference使用间接对象引用
Modify the API's interface so the client submits a PathID instead of a Path , and make PathID discoverable via some other service call which lists only those specific files that the client has the right to access.修改 API 的接口,以便客户端提交PathID而不是Path ,并通过一些其他服务调用使PathID发现,该调用仅列出客户端有权访问的那些特定文件。 If the system has per-user permissions (ie ACL ), then bind the PathID namespace to the user session, so that one user cannot guess another user's PathIDs.如果系统具有每用户权限(即ACL ),则将 PathID 命名空间绑定到用户会话,以便一个用户无法猜测另一个用户的 PathID。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.