Sanitize Absolute Paths

When you extract a subfile from a container and write it to disk, you specify an extract directory and a path to extract the file to.

To set the path, you might use the path in the container file that you are extracting from, as returned from the function fpGetSubFileInfo(). However, if the path is an absolute path, the file could be created outside the directory you have chosen as the extract directory. Your application might then contain a vulnerability that could be exploited to write files to unexpected locations in the file system. This section discusses some File Content Extraction features that can help you secure your application by sanitizing paths.

File Content Extraction always sanitizes relative paths that you pass in when extracting files, so that the paths remain within the extract directory you specify. For example, File Content Extraction does not allow the use of ".." to move outside the extract directory.

File Content Extraction can update absolute paths so that they remain within the extract directory. You can instruct File Content Extraction to sanitize absolute paths programmatically (through the API), or by setting a parameter in the configuration file.

The following table shows the effect on some example paths.

Requested path Path of extracted file (not sanitized) Path of extracted file (sanitized)
file.txt extractDir/file.txt extractDir/file.txt
dir/file.txt extractDir/dir/file.txt extractDir/dir/file.txt
../file.txt extractDir/file.txt extractDir/file.txt
/dir/file.txt /dir/file.txt extractDir/dir/file.txt

To sanitize absolute paths

  • In the KVExtractSubFileArg struct that you pass in to fpExtractSubFile, set the flag KVExtractionFlag_SanitizeAbsolutePaths. When File Content Extraction sanitizes a path and the resulting directory does not exist, extraction fails unless you instruct File Content Extraction to create the directory, so you might also want to set the flag KVExtractionFlag_CreateDir. You can find the path that a file was actually extracted to from the KVSubFileExtractInfo structure.

To sanitize absolute paths (through configuration)

  • In the formats_e.ini configuration file, set the parameter SanitizeAbsoluteExtractPaths, for example:

    [Options]
    SanitizeAbsoluteExtractPaths=TRUE