I wrote a small service in go (although I don't think this would be a language specific issue), that caches some results by saving it to a file, and writing a URL query parameter into the filename with "prefix" param ".json" using ioutil.WriteFile. The service runs on Ubuntu.

Is it possible to do something malicious, by passing an unexpected string via the query?

CodePudding user response：

Relevant attacks that come to mind are called path injection. For example what if the query parameter is something like ../../etc/passwd (okthis would probably not work as the user running this service would have no permissions, but you get the point). For example it could be possible to overwrite your service code itself.

You should sanitize the parameter before adding it to the filename. The best would be a strict whitelist of letters and numbers that are allowed, anything else should ve removed from the parameter. That way injection would not be possible.

You can also check whether the path you are writing to is actually under an explicitly allowed directory.

CodePudding user response：

I will make a test in python, here is the struct of the project

app1/main.py

while True:
    a = input() # passing query
    with open("{}.json".format(a), "w") as f:
        f.write("Hello world")

now i am a hacker, and i want to change "yourfile.json" so i passed this
and than, the content of yourfile.json become: Hello world