First iteration detecting path traversal attacks

Author: HiDAl

lib/aikido/zen/attack.rb

@@ -39,6 +39,39 @@ def exception(*)
   end
 
   module Attacks
+    class PathTraversalAttack < Attack
+      attr_reader :input
+      attr_reader :filepath
+
+      def initialize(input:, filepath:, **opts)
+        super(**opts)
+        @input = input
+        @filepath = filepath
+      end
+
+      def log_message
+        format(
+          "Path Traversal: Malicious user input «%s» detected while calling method %s",
+          @input, @operation
+        )
+      end
+
+      def as_json
+        {
+          kind: "path_traversal",
+          blocked: blocked?,
+          metadata: {
+            expanded_filepath: filepath
+          },
+          operation: @operation
+        }.merge(@input.as_json)
+      end
+
+      def exception(*)
+        PathTraversalError.new(self)
+      end
+    end
+
     class SQLInjectionAttack < Attack
       attr_reader :query
       attr_reader :input

lib/aikido/zen/errors.rb

@@ -75,6 +75,11 @@ class SSRFDetectedError < UnderAttackError
       def_delegators :@attack, :request, :input
     end
 
+    class PathTraversalError < UnderAttackError
+      extend Forwardable
+      def_delegators :@attack, :input
+    end
+
     # Raised when there's any problem communicating (or loading) libzen.
     class InternalsError < ZenError
       # @param attempt [String] description of what we were trying to do.

lib/aikido/zen/scanners.rb

@@ -3,3 +3,4 @@
 require_relative "scanners/sql_injection_scanner"
 require_relative "scanners/stored_ssrf_scanner"
 require_relative "scanners/ssrf_scanner"
+require_relative "scanners/path_traversal_scanner"

lib/aikido/zen/scanners/path_traversal/helpers.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  module Scanners
+    module PathTraversal
+      DANGEROUS_PATH_PARTS = ["../", "..\\"]
+      LINUX_ROOT_FOLDERS = [
+        "/bin/",
+        "/boot/",
+        "/dev/",
+        "/etc/",
+        "/home/",
+        "/init/",
+        "/lib/",
+        "/media/",
+        "/mnt/",
+        "/opt/",
+        "/proc/",
+        "/root/",
+        "/run/",
+        "/sbin/",
+        "/srv/",
+        "/sys/",
+        "/tmp/",
+        "/usr/",
+        "/var/"
+      ]
+
+      DANGEROUS_PATH_STARTS = LINUX_ROOT_FOLDERS + ["c:/", "c:\\"]
+
+      module Helpers
+        def self.contains_unsafe_path_parts(filepath)
+          DANGEROUS_PATH_PARTS.each do |dangerous_part|
+            return true if filepath.include?(dangerous_part)
+          end
+
+          false
+        end
+
+        def self.starts_with_unsafe_path(filepath, user_input)
+          # Check if path is relative (not absolute or drive letter path)
+          # Required because `expand_path` will build absolute paths from relative paths
+          return false if Pathname.new(filepath).relative? || Pathname.new(user_input).relative?
+
+          normalized_path = File.expand_path(filepath).downcase
+          normalized_user_input = File.expand_path(user_input).downcase
+
+          DANGEROUS_PATH_STARTS.each do |dangerous_start|
+            if normalized_path.start_with?(dangerous_start) && normalized_path.start_with?(normalized_user_input)
+              # If the user input is the same as the dangerous start, we don't want to flag it
+              # to prevent false positives.
+              # e.g., if user input is /etc/ and the path is /etc/passwd, we don't want to flag it,
+              # as long as the user input does not contain a subdirectory or filename
+              if user_input == dangerous_start || user_input == dangerous_start.chomp("/")
+                return false
+              end
+              return true
+            end
+          end
+          false
+        end
+      end
+    end
+  end
+end

lib/aikido/zen/scanners/path_traversal_scanner.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require_relative "path_traversal/helpers"
+
+module Aikido::Zen
+  module Scanners
+    class PathTraversalScanner
+      # Checks if the user introduced input is trying to access other path using
+      # Path Traversal kind of attacks.
+      #
+      # @param filepath [String] the expanded path that is tried to be read
+      # @param context [Aikido::Zen::Context]
+      # @param sink [Aikido::Zen::Sink] the Sink that is running the scan.
+      # @param operation [Symbol, String] name of the method being scanned.
+      #
+      # @return [Aikido::Zen::Attacks::PathTraversalAttack, nil] an Attack if any
+      # user input is detected to be attempting a Path Traversal Attack, or +nil+ if not.
+      def self.call(filepath:, sink:, context:, operation:)
+        return unless context
+
+        context.payloads.each do |payload|
+          next unless new(filepath, payload.value).attack?
+
+          return Attacks::PathTraversalAttack.new(
+            sink: sink,
+            input: payload,
+            filepath: filepath,
+            context: context,
+            operation: "#{sink.operation}.#{operation}"
+          )
+        end
+
+        nil
+      end
+
+      def initialize(filepath, input)
+        @filepath = filepath.downcase
+        @input = input.downcase
+      end
+
+      def attack?
+        # Single character are ignored because they don't pose a big threat
+        return false if @input.length <= 1
+
+        # We ignore cases where the user input is longer than the file path.
+        # Because the user input can't be part of the file path.
+        return false if @input.length > @filepath.length
+
+        # We ignore cases where the user input is not part of the file path.
+        return false unless @filepath.include?(@input)
+
+        if PathTraversal::Helpers.contains_unsafe_path_parts(@filepath) && PathTraversal::Helpers.contains_unsafe_path_parts(@input)
+          return true
+        end
+
+        # Check for absolute path traversal
+        PathTraversal::Helpers.starts_with_unsafe_path(@filepath, @input)
+      end
+    end
+  end
+end

lib/aikido/zen/sinks.rb

@@ -5,6 +5,7 @@
 require_relative "sinks/socket"
 
 require_relative "sinks/action_controller" if defined?(::ActionController)
+require_relative "sinks/file" if defined?(::File)
 require_relative "sinks/resolv" if defined?(::Resolv)
 require_relative "sinks/net_http" if defined?(::Net::HTTP)
 require_relative "sinks/http" if defined?(::HTTP)

lib/aikido/zen/sinks/file.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Aikido::Zen
+  # Hooked only on `read` & `write` methods of `File`. We could extends to other methods like `open`
+  # but that's outside of the challenge scope.
+  module Sinks
+    module File
+      SINK = Sinks.add("File", scanners: [
+        Aikido::Zen::Scanners::PathTraversalScanner
+      ])
+
+      module Extensions
+        def self.scan_path(filepath, operation)
+          Aikido::Zen.config.logger.debug "Sending to scan: #{filepath}"
+
+          SINK.scan(
+            filepath: filepath,
+            operation: operation
+          )
+        end
+
+        def read(filename, *)
+          Extensions.scan_path(filename, "read")
+
+          super
+        end
+
+        def write(filename, *, **)
+          Extensions.scan_path(filename, "write")
+
+          super
+        end
+      end
+    end
+  end
+end
+
+::File.singleton_class.prepend(Aikido::Zen::Sinks::File::Extensions)

test/aikido/zen/scanners/path_traversal_scanner_test.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class Aikido::Zen::Scanners::PathTraversalScannerTest < ActiveSupport::TestCase
+  def assert_attack(filepath, input = filepath, reason = "#{input} was not blocked")
+    assert scan(filepath, input), reason
+  end
+
+  def refute_attack(filepath, input = filepath, reason = "#{input} was blocked")
+    refute scan(filepath, input), reason
+  end
+
+  def scan(filepath, input = query)
+    Aikido::Zen::Scanners::PathTraversalScanner.new(filepath, input).attack?
+  end
+
+  test "no path traversal" do
+    refute_attack "/some-directory/sub-folder/file.txt", "/sub-folder/file.txt"
+  end
+
+  test "ignores input with length <= 1" do
+    refute_attack ""
+    refute_attack "a"
+    refute_attack "abcd", ""
+    refute_attack "abcd", "a"
+  end
+
+  test "ignores in case the input is longer than the filepath" do
+    refute_attack "1", "12"
+    refute_attack "base-string", "base-string-plus-words"
+  end
+
+  test "ignores in case the input not contained by filepath" do
+    refute_attack "1", "a"
+    refute_attack "base-string", "base-string".reverse
+  end
+
+  test "same as user input" do
+    refute_attack "file.txt", "file.txt"
+  end
+
+  test "with directory before" do
+    refute_attack "directory/file.txt", "file.txt"
+    refute_attack "directory/file.txt", "directory/file.txt"
+  end
+
+  test "it flags bad inputs" do
+    # inputs with ../
+    assert_attack "../file.txt", "../"
+    assert_attack "../file.txt", "../file.txt"
+    assert_attack "../../file.txt", "../../"
+    assert_attack "../../file.txt", "../../file.txt"
+
+    # inputs with ..\\
+    assert_attack "..\\file.txt", "..\\"
+    assert_attack "..\\file.txt", "..\\file.txt"
+    assert_attack "..\\..\\file.txt", "..\\..\\"
+    assert_attack "..\\..\\file.txt", "..\\..\\file.txt"
+
+    # inputs with ./../
+    assert_attack "./../file.txt", "./../"
+    assert_attack "./../file.txt", "./../file.txt"
+    assert_attack "./../../file.txt", "./../../"
+    assert_attack "./../../file.txt", "./../../file.txt"
+  end
+
+  test "linux paths" do
+    refute_attack "/etc/passwd", "/etc/"
+    assert_attack "/etc/passwd", "/etc/passwd"
+    assert_attack "/etc/../etc/passwd", "/etc/../etc/passwd"
+    assert_attack "/home/user/file.txt", "/home/user"
+  end
+
+  test "possible bypasses" do
+    assert_attack "/./etc/passwd", "/./etc/passwd"
+    assert_attack "/./././root/file.txt", "/./././root/"
+    assert_attack "/./././root/file.txt", "/./././root/file.txt"
+  end
+
+  test "does not detect if user input path contains no filename or subfolder" do
+    refute_attack "/etc/app/test.txt", "/etc/"
+    refute_attack "/etc/app/", "/etc/"
+    refute_attack "/etc/app/", "/etc"
+    refute_attack "/etc/", "/etc/"
+    refute_attack "/etc", "/etc"
+    refute_attack "/var/a", "/var/"
+    refute_attack "/var/a", "/var/b"
+    refute_attack "/var/a", "/var/b/test.txt"
+  end
+
+  test "it does dected if user input path contains a filename or subfolder" do
+    assert_attack "/etc/app/file.txt", "/etc/app"
+    assert_attack "/etc/app/file.txt", "/etc/app/file.txt"
+    assert_attack "/var/backups/file.txt", "/var/backups"
+    assert_attack "/var/backups/file.txt", "/var/backups/file.txt"
+    assert_attack "/var/a", "/var/a"
+    assert_attack "/var/a/b", "/var/a"
+    assert_attack "/var/a/b/test.txt", "/var/a"
+  end
+end

test/aikido/zen/sinks/file_test.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class Aikido::Zen::Sinks::FileTest < ActiveSupport::TestCase
+  include StubsCurrentContext
+  include SinkAttackHelpers
+
+  test "scanning does not interfere with File.read normally" do
+    tmp_file = Tempfile.new("path-traversal-sink-read")
+
+    begin
+      tmp_file.write "some content"
+      tmp_file.close
+
+      assert_equal File.read(tmp_file.path), "some content"
+    ensure
+      tmp_file.unlink
+    end
+  end
+
+  test "scanning does not interfere with File.write normally" do
+    ::Dir::Tmpname.create("path-traversal-sink-write", Dir.tmpdir) do |path|
+      File.write path, "path-traversal-sink-write"
+
+      assert_equal File.read(path), "path-traversal-sink-write"
+      File.unlink path
+    end
+  end
+
+  test "does not fail when the context is null" do
+    refute_attack do
+      # We expect the next `File.read` will fail *because& the file does not exist,
+      # but no because it is Path Traversal Attack
+      assert_raise Errno::ENOENT do
+        File.read('../this-is-an-attack')
+      end
+    end
+  end
+
+  test "scanning detects Path Traversal Attacks" do
+      set_context_from_request_to "/?filename=../this-is-an-attack"
+
+      error = assert_attack Aikido::Zen::Attacks::PathTraversalAttack do
+        File.read('../this-is-an-attack')
+      end
+
+      assert_equal \
+        error.message,
+        "Path Traversal: Malicious user input «../this-is-an-attack» detected while calling method File.read"
+  end
+end