x/handbook
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
handbook/tools/3.Web-Hacking/4.Injection/Directory-Traversal/Notes/3.How-To-Prevent-Directory-Traversal-Attacks.md
Anton Nesterov af9011411c
vault backup: 2024-08-31 01:07:21
2024-08-31 01:07:22 +02:00

519 B
Raw Permalink Blame History

How To Prevent Directory Traversal Attacks

Avoid passing user-supplied input to filesystem APIs

  • If this isn't possible, do the following: § Application should validate user input before processing it by being compared to an allow list § Append input to base directory and use platform filesystem API to canonicalize the path

  • Sample code that does this:`

File file = new File(BASE_DIRECTORY,
userInput);
if
(file.getCanonicalPath().startsWith(BASE_DIRE
CTORY)) {
// process file
}