Sanitize Absolute Paths

When you extract a subfile from a container and write it to disk, you specify an extract directory and a path to extract the file to.

To set the path, you might use the path in the container file that you are extracting from, as returned from the function fpGetSubFileInfo(). However, if the path is an absolute path, the file could be created outside the directory you have chosen as the extract directory. Your application might then contain a vulnerability that could be exploited to write files to unexpected locations in the file system. This section discusses some KeyView features that can help you secure your application by sanitizing paths.

KeyView always sanitizes relative paths that you pass in when extracting files, so that the paths remain within the extract directory you specify. For example, KeyView does not allow the use of ".." to move outside the extract directory.

KeyView can update absolute paths so that they remain within the extract directory. You can instruct KeyView to sanitize absolute paths programmatically (through the API), or by setting a parameter in the configuration file.

The following table shows the effect on some example paths.

Requested path Path of extracted file (not sanitized) Path of extracted file (sanitized)
file.txt extractDir/file.txt extractDir/file.txt
dir/file.txt extractDir/dir/file.txt extractDir/dir/file.txt
../file.txt extractDir/file.txt extractDir/file.txt
/dir/file.txt /dir/file.txt extractDir/dir/file.txt

To sanitize absolute paths

  • In the KVExtractSubFileArg struct that you pass in to fpExtractSubFile, set the flag KVExtractionFlag_SanitizeAbsolutePaths. When KeyView sanitizes a path and the resulting directory does not exist, extraction fails unless you instruct KeyView to create the directory, so you might also want to set the flag KVExtractionFlag_CreateDir. You can find the path that a file was actually extracted to from the KVSubFileExtractInfo structure.

To sanitize absolute paths (through configuration)

  • In the formats_e.ini configuration file, set the parameter SanitizeAbsoluteExtractPaths, for example:

    [Options]
    SanitizeAbsoluteExtractPaths=TRUE