If a path is constructed from user-provided input without sufficient sanitization, a malicious user may be able to manipulate the contents of the filesystem without proper authorization.
Additionally if user-provided input is used to create file contents this can also result in a malicious user manipulating the filesystem in an unchecked way.
CAP applications using CDS Utils should not use user-provided input without sanitization.
This CAP service directly uses user-provided input to construct a path.
const cds = require("@sap/cds");
const { rm } = cds.utils
module.exports = class Service1 extends cds.ApplicationService {
init() {
this.on("send1", async (req) => {
let userinput = req.data
await rm(userinput, 'db', 'data') // Path injection alert
}
}
}This CAP service directly uses user-provided input to add content to a file.
const cds = require("@sap/cds");
const { rm } = cds.utils
module.exports = class Service1 extends cds.ApplicationService {
init() {
this.on("send1", async (req) => {
let userinput = req.data
await write(userinput).to('db/data') // Path injection alert
// GOOD: the path can not be controlled by an attacker
let allowedDirectories = [
'this-is-a-safe-directory'
];
if (allowedDirectories.includes(userinput)) {
await rm(userinput) // sanitized - No Path injection alert
}
}
}
}- OWASP 2021: Injection.
- SAP CAP CDS Utils : Documentation.
- Common Weakness Enumeration: CWE-020.
- Common Weakness Enumeration: CWE-022.