MID-075: Path Traversal Protections

Mitigation Tier: Foundational

Description

To avoid path traversal attacks, devices should not use raw user input as direct inputs to file system calls. For example, OWASP [1] recommends: (i) using indexes instead of file names, (ii) validating the user’s input by only accepting it if it matches predefined values, (iii) using technical mechanisms to limit where the user can access files from, and (iv) normalizing user inputs.

Additionally, devices should choose a single path to access a file and canonicalize it, as opposed to allowing all absolute paths access to that file. This can prevent threat actors from inserting alternative paths (e.g., using relative directory names or symlinks) that map to the target file but that the device was not expecting, which may result in bypassing file access control policies. Devices should convert all received paths into canonicalized absolute paths and then use the resulting canonicalized path as the subject for access control decisions.

IEC 62443 4-2 Mappings

• CR 3.5 - Input validation 

References

[1] OWASP. “Path Traversal.” owasp.org. Accessed: Aug. 28, 2024. [Online.] Available: https://owasp.org/www-community/attacks/Path_Traversal

[2] OWASP. “Input Validation Cheat Sheet.” owasp.org. Accessed: Aug. 28, 2024. [Online.] Available: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

[3] PortSwigger. “Path traversal.” portswigger.net. Accessed: Aug. 28, 2024. [Online.] Available: https://portswigger.net/web-security/file-path-traversal

MID-075