SRE School

Laravel Security: Upload, Store, and Download files with privacy restrictions in Laravel part 2

Posted by

Dharmendra Kumar, Senior Software Engineer & Co founder at MyhospitalNow

2. Directory Traversal:

Fix: Ensure that file upload paths are constrained to safe, non-executable directories. Use functions like realpath() to get the absolute path and prevent directory traversal.

Directory Traversal Exploits: If the file upload functionality is not properly sandboxed, a hacker may exploit it to navigate through directories and upload files to sensitive parts of the server (e.g., /public).

Example of Directory Traversal Vulnerability

  1. Malicious Input:
    The attacker uploads a file with a specially crafted name such as ../../../etc/passwd or ../../../../../../home/user/.ssh/id_rsa. These paths attempt to traverse out of the intended directory to access system files.
  2. Exploiting the Vulnerability:
    If the file upload functionality does not properly sanitize the file path, it may allow the file to be saved in an unintended directory (e.g., /etc/ or /home/user/). In some cases, an attacker might upload a file to a location that can later be executed as a script.
  3. Consequence:
    • Sensitive Data Exposure: By uploading files outside of the allowed directory, the attacker might gain access to sensitive server files like /etc/passwd (on Linux), which contains user information.
    • Remote Code Execution: The attacker might upload malicious files to directories that are accessible to the web server, such as /public_html or /uploads, and later execute them.

Directory Traversal Exploit Example:

Let’s say a web application allows users to upload files (such as images) to the /uploads directory.

An attacker could try to upload a file with a name like:

../../../etc/passwd

If the application does not properly sanitize the file name or path, it may save the file outside the /uploads directory, potentially in the /etc directory, and expose the passwd file containing sensitive information about users on the server.

Result:

  • The attacker may retrieve the contents of /etc/passwd, which is a file that contains user credentials and other sensitive information.

Fixing the Directory Traversal Vulnerability:

To mitigate directory traversal attacks, you can apply the following fixes:

  1. Sanitize the File Path:
    Always sanitize file names to ensure they do not contain sequences like ../ or absolute paths. Example in PHP:
// Get the file name
$fileName = basename($_FILES['file']['name']);

The basename() function ensures that only the file name is extracted, and no path traversal can occur.

Use realpath() to Get Absolute Paths:
You should use realpath() to convert relative file paths into absolute file paths and compare them with the intended directory. This prevents the file from being saved outside of the allowed directory.

Example in PHP:

// Get the target directory path
$uploadDir = '/uploads/';

// Get the absolute path of the target directory
$uploadDirPath = realpath($uploadDir);

// Get the absolute path of the uploaded file
$filePath = realpath($_FILES['file']['tmp_name']);

// Ensure that the file is being uploaded within the allowed directory
if (strpos($filePath, $uploadDirPath) === 0) {
    // The file is inside the allowed directory, move the file
    move_uploaded_file($_FILES['file']['tmp_name'], $uploadDir . $fileName);
} else {
    echo "Invalid file upload location!";
}

Explanation:

  • realpath() resolves the absolute path of the file and directory.
  • The strpos() function checks if the file’s absolute path starts with the allowed directory path. If it doesn’t, the file upload is rejected.

Restrict File Name Characters:
Limit the characters that can be used in file names. Avoid allowing special characters that could be part of a directory traversal attack (e.g., ../, /, \, etc.).

Example:

$fileName = $_FILES['file']['name'];

// Allow only alphanumeric characters, underscores, and dots
if (!preg_match('/^[a-zA-Z0-9_\-\.]+$/', $fileName)) {
    echo "Invalid file name!";
    exit;
}

se a Fixed Upload Directory:
Always store uploaded files in a fixed directory that is non-executable and not publicly accessible. Do not allow uploads to system directories such as /etc/ or /var/.

Prevent File Execution:
Ensure that uploaded files cannot be executed. For example, do not allow files to be uploaded with extensions like .php, .exe, .sh, etc.

Example of rejecting certain file types:

$allowedExtensions = ['jpg', 'png', 'gif'];
$fileExtension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);

if (!in_array($fileExtension, $allowedExtensions)) {
    echo "Invalid file extension!";
    exit;
}

Directory Traversal Vulnerability Example with Fix:

Let’s combine everything into an example that mitigates directory traversal.

<?php
// Allowed directory for uploads
$uploadDir = '/uploads/';

// Get the target file name
$fileName = basename($_FILES['file']['name']);

// Get the file's absolute path
$uploadDirPath = realpath($uploadDir);
$filePath = realpath($_FILES['file']['tmp_name']);

// Check if the file is inside the allowed directory
if (strpos($filePath, $uploadDirPath) === 0) {
    // Check for valid file name (alphanumeric and some safe characters)
    if (preg_match('/^[a-zA-Z0-9_\-\.]+$/', $fileName)) {
        // Check file extension (e.g., only images)
        $allowedExtensions = ['jpg', 'png', 'gif'];
        $fileExtension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
        
        if (in_array($fileExtension, $allowedExtensions)) {
            // Move the file to the upload directory
            move_uploaded_file($_FILES['file']['tmp_name'], $uploadDir . $fileName);
            echo "File uploaded successfully!";
        } else {
            echo "Invalid file type!";
        }
    } else {
        echo "Invalid file name!";
    }
} else {
    echo "Invalid file upload location!";
}
?>

Explanation of Fixes:

  • realpath() ensures the file is uploaded within the safe, allowed directory.
  • basename() ensures the file name does not contain paths like ../.
  • Only allowed file extensions (like images) are accepted.
  • File names are sanitized to ensure they don’t contain dangerous characters.

Dharmendra Kumar, Senior Software Engineer & Co founder at MyhospitalNow

Experienced software developer proficient in HTML, CSS, and Bootstrap for crafting elegant and responsive user interfaces. Skilled in Laravel and PHP, with a focus on building robust and scalable web applications. Proficient in JavaScript for both frontend and backend development, leveraging frameworks like React and Vue.js. Experienced in designing and consuming RESTful APIs to enable seamless communication between client and server. Expertise in integrating payment gateways such as PayPal, Stripe, and Paytm for secure online transactions. Familiar with Flutter, enabling the creation of natively compiled applications for mobile, web, and desktop. Proficient in Android Studio, the primary IDE for developing Android applications. Knowledgeable in Linux and Docker for efficient server management and application deployment. Experienced in using Redis as an in-memory data structure store, enhancing application performance. Passionate about staying updated with the latest technologies and continuously learning to deliver high-quality solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow Us

Recent Posts

Categories

Tags

#AssetManagement #ContentCollaboration #ContentManagement #DAM #DAMSoftware #DigitalAssetManagement #DigitalAssets #DigitalMarketing #Digital MarketingTips#SEOManagement #MarketingTechnology #SEO #SEOManagement #SEOTools #TeamCollaboration #Wizbrand Bike certification Composer comprehensive Foundation guide Laravel Launches Linux php Rental Security Services sitemap xml

0
Would love your thoughts, please comment.x
()
x