generic.nginx.security.alias-path-traversal.alias-path-traversal
Community Favorite
semgrep
Author
53,719
Download Count*
License
The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path.
Run Locally
Run in CI
Defintion
rules:
- id: alias-path-traversal
patterns:
- pattern: |
location $...LOCATION {
...
alias .../;
...
}
- metavariable-pattern:
metavariable: $...LOCATION
pattern-regex: ^.*[^/]$
paths:
include:
- "*.conf"
- "*.vhost"
- sites-available/*
- sites-enabled/*
fix-regex:
regex: location\s+([A-Za-z0-9/-_\.]+)
replacement: location \1/
languages:
- generic
severity: WARNING
message: The alias in this location block is subject to a path traversal because
the location path does not end in a path separator (e.g., '/'). To fix,
add a path separator to the end of the path.
metadata:
cwe:
- "CWE-22: Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal')"
source-rule-url: https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md
category: security
technology:
- nginx
confidence: LOW
owasp:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
- https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/
- https://www.youtube.com/watch?v=CIhHpkybYsY
- https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Path Traversal
Examples
alias-path-traversal.conf
server {
listen 80;
# ruleid: alias-path-traversal
location /i {
alias /data/w3/images/;
}
# ok: alias-path-traversal
location /i/ {
alias /data/w3/images/;
}
# ok: alias-path-traversal
location /i {
alias /data/w3/images;
}
# ok: alias-path-traversal
location /fm/ {
alias /usr/local/web/fm/dist/;
index index.php;
location ~ /([^/]+\.php)$ {
try_files /$1 =404;
include fastcgi_params;
}
}
}
Short Link: https://sg.run/ZvNL