Project now lives at: https://github.com/OWASP/www-project-cheat-code-series/
This project demonstrates secure and insecure implementations of path processing functions, focusing on path traversal vulnerabilities. It serves as an educational tool to understand common path traversal vulnerabilities and how to prevent them.
src/main/java/com/security/path/PathProcessor.java: Base abstract class defining the path processing interfacesrc/main/java/com/security/path/ReadFileResult.java: Result wrapper class for file operations
Secure_PathProcessor_ESAPI_CombinedDirectoryAndFileNameValidation.java: ESAPI-based validation with combined directory and filename checksSecurePathProcessor_ESAPI_DefaultFileNameValidation.java: ESAPI-based filename validationSecurePathProcessor_ESAPI_FileNameValidation.java: Basic ESAPI filename validationSecurePathProcessor_RelativeToBaseFolder_Validation.java: Base folder-relative path validationSecurePathProcessor_RegexValidation_Whitelist_AlphaNumericDot.java: Whitelist-based regex validationSecurePathProcessor_RegexValidation_Blacklist_Extended.java: Extended blacklist-based regex validationSecurePathProcessor_RegexValidation_Blacklist_Simple.java: Simple blacklist-based regex validationSecurePathProcessor_FileAPI_GetName.java: File API-based validationSecurePathProcessor_StringContains_Simple.java: Simple string-based validationSecurePathProcessor_RelativePath_Validation.java: Relative path validation
VulnerablePathProcessor_Default_NoChecks.java: No validation implementationVulnerablePathProcessor_Default_NoChecks_ImproperPathConcat.java: Unsafe path concatenationVulnerablePathProcessor_ImproperAPIUse_MultipartFileGetOriginalName.java: Unsafe multipart file handlingVulnerablePathProcessor_Bypassable_StringContainsCheck.java: Bypassable string-based validation
BasePathProcessorTest.java: Base test class with common test casesPathTraversalTestPayloads.java: Collection of path traversal test payloadsLegitimatePathsTestPayloads.java: Collection of legitimate path test cases- Individual test classes for each implementation
- ESAPI-based validation (directory and filename)
- Regex-based validation (whitelist and blacklist approaches)
- File API-based validation
- Relative path validation
- Base folder validation
- Input sanitization
- Null checks
- Exception handling
- Direct path concatenation without validation
- Improper API usage
- Bypassable string-based checks
- Missing input validation
- Unsafe path resolution
To run the tests, use Maven:
mvn test- Understanding path traversal vulnerabilities
- Common bypass techniques for path traversal
- Best practices for path processing
- Input validation techniques
- Path normalization and canonicalization
- Exception handling in path processing
- ESAPI security features
- Regex-based validation approaches
- File API security considerations
The vulnerable implementations in this project are intentionally vulnerable and should never be used in production code. They serve only as examples of common mistakes and vulnerabilities.
- Java 11 or higher
- JUnit 5
- Mockito (for testing)
- OWASP ESAPI (for secure implementations)
This project is open source and available under the MIT License.
-
Download the Project: Clone the repository to your local machine.
git clone https://github.com/Aleks-Ry/cheatcode/
-
Launch the Unit-Test Tab: Open the project in your preferred IDE and navigate to the unit-test tab to run the tests.
In the screenshot above, you can see the results of the path security tests:
- The vulnerable implementation failed to withstand some or all payloads.
- The secure implementation successfully blocked all payloads while fully or partially maintaining the functionality of reading files.
-
Run Tests: You can also run the tests using Maven:
mvn test
