home.social

#pathtraversalattac — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #pathtraversalattac, aggregated by home.social.

  1. Messing for hours with #Java Path api. Safely do:
    - given input path, possibly adversarial
    - prefix it with a configured outPrefix
    - ** make sure the result really points to a file/dir below outPrefix **

    Consider a somewhat unluckily configured outPrefix = ".." and an adversarial path "../..". Path.of("../..").startsWith("..") is true. But startsWith() is what AI-coders and even stackoverflow suggest. 😱

    FAIL.

    stackoverflow.com/a/50731050/2

    #pathTraversal #security #itsecurity #pathTraversalAttac