Skip to main content

File inclusion

Description

Directory traversal occurs when a server allows an attacker to read a file or directories outside of the normal web server directory, and local file inclusion gives the attacker the ability to include an arbitrary local file (from the web server) in the web server's response.

Example: getProfilePicture(name: '../../../etc/password') returns the server's /etc/password file.

Remediation

There are multiple ways to prevent directory traversal attacks:

  • Avoid using parameters entered directly by the user.
  • Set up a file/folder name whitelist system: allow only certain folders and/or types of extensions, thus excluding all others.
  • Compartmentalize your data and implement middlewares. These can take the form of an interface to the (potentially external) file system on which the data users may request is stored. If the attached data storage is dedicated to this purpose only and does not contain sensitive data, the risk is limited, even if a user manages to bypass the limitations that this middleware can put in place.
  • Restrict access of the GraphQL worker to what is strictly necessary. By restricting as much as possible the files and folders to which the GraphQL worker has access, you reduce the range of files potentially exposed by an attack.
  • Take advantage of virtualization. With virtualization, it is possible to have several virtual machines completely isolated from each other. The GraphQL worker can therefore be isolated on its own virtual machine, allowing it access only to the elements absolutely necessary for its proper execution.

GraphQL Specific

Apollo

To mitigate file inclusion vulnerabilities in the Apollo framework engine, ensure that user input is not directly used to specify files to be included. Implement a whitelist of allowed files and verify that the requested file is in the whitelist before including it. Additionally, use proper input validation and sanitization to prevent malicious input from being processed. Consider using built-in functions that provide secure file handling and avoid dynamic file inclusion whenever possible.

Yoga

To mitigate file inclusion vulnerabilities in the Yoga framework engine, ensure that user input is not directly used to specify files to be included. Employ a whitelist of allowed files, validate and sanitize all user inputs, and avoid dynamic file paths. Additionally, use the framework's built-in functions for file handling that are designed to prevent such vulnerabilities.

Awsappsync

To mitigate file inclusion vulnerabilities in the AWS AppSync framework, ensure that any user-supplied input is properly sanitized and validated. Avoid using dynamic file paths that can be manipulated by an attacker. Implement a strict allowlist of permissible files to be included, and use AWS AppSync's built-in resolvers and velocity templates to securely manage and process file paths. Regularly review and update security policies and IAM roles to adhere to the principle of least privilege.

Graphqlgo

To mitigate file inclusion vulnerabilities in a GraphQL Go framework engine, ensure that user-supplied input is not used directly to determine the files to be included. Implement strict input validation, use a whitelist of allowed files, and employ the principle of least privilege when accessing file system resources. Additionally, consider using built-in functions for file handling that abstract the underlying file system structure, and regularly update your dependencies to incorporate security fixes.

Graphqlruby

To mitigate file inclusion vulnerabilities in a GraphQL Ruby framework engine, ensure that user-supplied input is not used directly to determine the files to be included or executed. Use a whitelist of allowed files, sanitize and validate all input rigorously, and employ the principle of least privilege when granting file system access to the application. Additionally, consider using built-in mechanisms for template rendering and avoid dynamic file paths.

Hasura

To mitigate file inclusion vulnerabilities in the Hasura framework, ensure that all file paths are handled securely. Avoid using user input directly when specifying file paths. If dynamic file paths are necessary, validate and sanitize the input rigorously to prevent directory traversal attacks. Additionally, use a whitelist approach to limit accessible files to only those that are required for application functionality. Keep the Hasura engine and all dependencies up to date to benefit from the latest security patches.

Configuration

Identifier: injection/file_inclusion

Options

  • skip_objects : List of object that are to be skipped by the security test.

Examples

Ignore this check

checks:
injection/file_inclusion:
skip: true

Score

  • Escape Severity: HIGH

Compliance

  • OWASP: API10:2023

  • pci: 6.5.1

  • gdpr: Article-32

  • soc2: CC6

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-123

  • fedramp: SI-10

Classification

  • CWE: 22

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 7.2

References