序

本文主要研究一下directory traversal attack及其防范

directory traversal attack

又称Path Traversal attack，即目录遍历攻击，旨在访问web服务器根目录外的文件/目录。通过是通过url或变量里头传递"../"来进行目录遍历。

通过url

比如

http://some_site.com.br/../../../../some dir/some file 复制代码

或者

http://some_site.com.br/../../../../etc/shadow 复制代码

通过变量名

通常是在文件下载接口中，比如

http://some_site.com.br/get-files?file=/etc/passwd 复制代码

或者

http://some_site.com.br/get-files?file=../../../../some dir/some file 复制代码

防范

针对url

spring security提供了DefaultHttpFirewall来进行处理，是为了防止一些web框架没有遵循servlet规范而进行的防范。 spring-security-web-4.2.3.RELEASE-sources.jar!/org/springframework/security/web/firewall/DefaultHttpFirewall.java

/** * Default implementation which wraps requests in order to provide consistent * values of the {@code servletPath} and {@code pathInfo}, which do not contain * path parameters (as defined in * RFC 2396). Different * servlet containers interpret the servlet spec differently as to how path * parameters are treated and it is possible they might be added in order to * bypass particular security constraints. When using this implementation, they * will be removed for all requests as the request passes through the security * filter chain. Note that this means that any segments in the decoded path * which contain a semi-colon, will have the part following the semi-colon * removed for request matching. Your application should not contain any valid * paths which contain semi-colons. * 
 * If any un-normalized paths are found (containing directory-traversal * character sequences), the request will be rejected immediately. Most * containers normalize the paths before performing the servlet-mapping, but * again this is not guaranteed by the servlet spec. * * @author Luke Taylor */public class DefaultHttpFirewall implements HttpFirewall {	private boolean allowUrlEncodedSlash;	@Override	public FirewalledRequest getFirewalledRequest(HttpServletRequest request) throws RequestRejectedException {		FirewalledRequest fwr = new RequestWrapper(request);		if (!isNormalized(fwr.getServletPath()) || !isNormalized(fwr.getPathInfo())) {			throw new RequestRejectedException("Un-normalized paths are not supported: " + fwr.getServletPath()					+ (fwr.getPathInfo() != null ? fwr.getPathInfo() : ""));		}		String requestURI = fwr.getRequestURI();		if (containsInvalidUrlEncodedSlash(requestURI)) {			throw new RequestRejectedException("The requestURI cannot contain encoded slash. Got " + requestURI);		}		return fwr;	}	@Override	public HttpServletResponse getFirewalledResponse(HttpServletResponse response) {		return new FirewalledResponse(response);	}	/**	 * 
	 * Sets if the application should allow a URL encoded slash character.	 * 
	 * 
	 * If true (default is false), a URL encoded slash will be allowed in the	 * URL. Allowing encoded slashes can cause security vulnerabilities in some	 * situations depending on how the container constructs the	 * HttpServletRequest.	 * 
	 *	 * @param allowUrlEncodedSlash	 *            the new value (default false)	 */	public void setAllowUrlEncodedSlash(boolean allowUrlEncodedSlash) {		this.allowUrlEncodedSlash = allowUrlEncodedSlash;	}	private boolean containsInvalidUrlEncodedSlash(String uri) {		if (this.allowUrlEncodedSlash || uri == null) {			return false;		}		if (uri.contains("%2f") || uri.contains("%2F")) {			return true;		}		return false;	}	/**	 * Checks whether a path is normalized (doesn't contain path traversal	 * sequences like "./", "/../" or "/.")	 *	 * @param path	 *            the path to test	 * @return true if the path doesn't contain any path-traversal character	 *         sequences.	 */	private boolean isNormalized(String path) {		if (path == null) {			return true;		}		for (int j = path.length(); j > 0;) {			int i = path.lastIndexOf('/', j - 1);			int gap = j - i;			if (gap == 2 && path.charAt(i + 1) == '.') {				// ".", "/./" or "/."				return false;			} else if (gap == 3 && path.charAt(i + 1) == '.' && path.charAt(i + 2) == '.') {				return false;			}			j = i;		}		return true;	}}复制代码

这里会对url进行判断

通过变量

这种框架没有内置进行判断，需要自己在开发应用服务的时候额外关注。这里谈谈几种防范方法。

• 对变量名进行过滤

final Pattern INVALID_PATH_PATTERN = Pattern.compile("(\\.\\.\\/|\\.\\.\\\\)");if(INVALID_PATH_PATTERN.matcher(path).find()){	throw new BadRequestException("invalid path");}复制代码

• 利用absolutePath与canonicalPath

absolutePath不会处理../之类的，而canonicalPath会翻译../，判断两者是否相等即可判断是否有../

if (!file.getAbsolutePath().equals(file.getCanonicalPath())) {            throw new BadRequestException("invalid path");        }复制代码

小结

在编写文件下载服务的时候，需要特别关注directory traversal attack。通常url层面的web框架会帮你防范，但是变量层面的，则需要自己开发额外注意。

doc