Skip to Content

as pointed out by Horst Keller in one of his blogs, security is important and nothing which should be an afterhtought. Also it is nothing that can be solved by SAP alone but a topic for each and everyone developing code. However SAP has quite some functionality, that assist you to counter attacks more easily.

In this blog, I will show you, how to protect your code against directory traversal attacks when dealing with files.

Directory traversal attacks often also called path traversal attacks try to abuse insufficient sanitization and validation when taking user input as (part of) filenames. One simple example could be the ability to create a file with some input on the application server. A very simple program to do this could look like shown below:

REPORT Z_UPLOAD_NO_CHECK.
PARAMETERS: pv_fname TYPE c LENGTH 64 LOWER CASE DEFAULT ‘test.txt’,
            pv_text 
type string LOWER CASE DEFAULT ‘This is the file contents’.
DATA        lv_full_name TYPE string.

AT SELECTION-SCREEN
.
 
if pv_fname = .
   
MESSAGE ‘You need to specify a file name.’ TYPE ‘E’.
 
ENDIF.
  lv_full_name
= ‘/tmp/’ && pv_fname. “Assume enduser inputs only a relative file name.

START-OF-SELECTION
.
 
OPEN DATASET lv_full_name FOR OUTPUT IN TEXT MODE ENCODING UTF8 .
 
IF SYSUBRC <> 0.
     
MESSAGE ‘Could not open file’&& lv_full_name TYPE ‘E’.
 
ELSE.
     
TRANSFER pv_text TO lv_full_name.
     
CLOSE DATASET lv_full_name.
     
Write :/ ‘contents was saved to:’, lv_full_name.
 
ENDIF.

What the program does, is simply asking for a file name and the content for the file. It just assumes, that the file name will be relative (like test.txt) and not absolute (like C:\TEMP\test.txt or /tmp/test.txt) and therefore just concatenate the directory the files shall be placed into and the filename itself. In the end it will open the file for writing and put the input of the user into the file.

What’s wrong with this? Two things:

  • The developer defines the directory where to place the files. If the directory does not exist, the admin can only request a new program.
  • The code does not check, whether the file will really end up in /tmp or somewhere else on the server.

Let’s have a closer look at the second issue. Let’s assume we use a filename like ../etc/passwd. What happens? The code will concatenate ‘/tmp/’ and ‘../etc/passwd’ into ‘/tmp/../etc/passwd’. In case the operating system is unix based, the system would understand ‘/etc/passwd’ as the file intended to be accessed. It is obvious, that this was not the intention of the programmer. In fact, the attacker would be able to access many operating system files which definitly should be considered a risk using this program.

So how can we avoid this. For sure, you can just search for ‘../ ‘ occurring in the input and remove that part. However if you are on a Windows based OS, this is not ‘../’ but ‘..\’ and also what happens if there are more dots, . In addition, the characters may be encoded for instance using UTF-8 and therefore look even different again. So doing this by searching just for some characters, is not that easy. You can have a look at the Wikipedia article on directory traversal attack to get an idea what is involved to protect your code.

To acounter such risks, the ABAP application server has capabilities to do this for you. As part of the function group SFIL, there is the transaction file, where you can define logical directories and logical filenames and there are function modules like file_get_name and file_validate_name to use the information captured with file to create filenames or verify, whether they are valid. This functionality is Unicode enabled, OS aware and is able to understand the input and interpret it, like an operating system would do.

Especially when using file_get_name, you may want to check your SP level, as there have been significant improvments done there. Please check SAP note 1497003 for more details.

The SFil Infrastructure

The function group SFil provides the functionality to easily handle access to files, by providing  logical filenames to developers and functions to map these logical filenames to physical filenames by the administrator.

Logical Filenames

Logical filenames in ABAP are patterns used to create or verify filenames used on a server or client system. Logical filenames include information about

·         The name to refer to the logical filename

·         The pattern for the filename

·         A data format (ASCII, Binary, Directory, …)

·         Application area

·         Optional: a logical path

The filename portion defined can be absolute (start from a root) or relative. If you want to specify filenames outside the working directory of the app server, I suggest you use the logical directories.

Filename pattern may include predefined patterns like date, time, OS or patterns based on profile parameters and more. You can even have the program provide his own input to the parameters using the parameters <PARAM_1> to <PARAM_3>. However I would recommend not to make use of these parameters for file name validation.

Logical Paths

Logical paths are an abstraction to the directories on different operating systems. The advantage here is the ability to specify one directory per OS, even though you only have one common logical directory name. For instance SAP delivers a logical path called ‘TMP’, which already contains the directories to be used to place temporary files on unix and windows operating systems.

/wp-content/uploads/2013/08/log_path_257139.png

File_Get_Name

Using the function module file_get_name, you can create filenames based on definitions in transaction file. You have to provide the logical filename and will get back the filename based on the definition in file. Please note, that the filename will only contain the directory if you request this from file_get_name explicitly.

File_Validate_name

File_validate_name checks whether a given filename is within a directory specified. You have to provide the filename to be checked and a logical filename to check it against. If you want to check, whether a given file is within a defined directory, you have to define a logical filename of type ‘DIR’ (directory). File_validate_name will not accept logical directories directly.

If the filename given is not absolute (for instance ‘test.txt’), file_validate_name will make it an absolute one by adding the working directory of the application server (profile parameter DIR_HOME). For this reason, you need to put the intended directory in front of relative filenames before calling file_validate_name.

File_validate_name will also accept all filenames which are at a deeper level of the hierarchy. This implies that the file/tmp/foo /bar would be a valid file when compared to /tmp in the sense of file_validate_name.

Doing it right

Getting back to the example above, we have to permit the admin to define where the files are placed and validate the filenames or let the system generate them.

Let’s first have a look at how generating filenames works. There are two options, how the program can be changed:

  • using a predefined filename for the file to be created
  • verifying the filename provided by the user

Using a predefined filename defined by the admin

In this case you can create a logical filename like the one below in transaction file. This definition will result in filenames that are valid on unix and windows systems and will contain the date and time of the creation of the filename.

ZMY_outfile.png

If we would call file_get_name on 2013-08-06 at 17:35:15, the following filename would be created:

Operating System File Name
Unix

/tmp/test-20130801-173515.txt

Windows C:\Windows\Temp\ test-20130801-173515.txt

Please note, the path on windows is dependent on the profile parameter for temporary files. So the path may look different on your system.

Using file_get_name and the definition as shown above, we can now create a safe version of the program.

REPORT Z_UPLOAD_FILE_GET_NAME.
PARAMETERS pv_text  type string LOWER CASE DEFAULT ‘This is the file contents’.
DATA       lv_full_name TYPE string.

AT SELECTION-SCREEN.

START-OF-SELECTION
.* get the filename including the path from the configuration
 
CALL FUNCTION ‘FILE_GET_NAME’
   
EXPORTING
      LOGICAL_FILENAME             
= ‘ZMY_OUTFILE’
      INCLUDING_DIR                
= ‘X’
  
IMPORTING
      FILE_NAME                    
= lv_full_name
  
EXCEPTIONS
     FILE_NOT_FOUND               
= 1
    
OTHERS                        = 4.
 
IF SYSUBRC <> 0.
     
MESSAGE ID symsgid TYPE symsgty NUMBER symsgno
       
WITH symsgv1 symsgv2 symsgv3 symsgv4.
 
ENDIF.

  OPEN DATASET lv_full_name FOR OUTPUT IN TEXT MODE ENCODING UTF8 .
 
IF SYSUBRC <> 0.
     
MESSAGE ‘Could not open file’ && lv_full_name TYPE ‘E’.
 
ELSE.
     
TRANSFER pv_text TO lv_full_name.
     
CLOSE DATASET lv_full_name.
     
Write :/ ‘contents was saved to:’, lv_full_name.
 
ENDIF.

Verifying the filename provided by the user

In the previous example, the admin has complete control over the files created, however from an application point of view, this may not be flexible enough.

When the user shall be able to specify a file name, you need to make use of file_validate_name. In this case the admin defines a permitted directory using transaction file.

Please note, that although you need to specify a directory here, you will have to create this under logical filenames. Also you must specify ‘DIR’ as being the data type for this entry.

The example again will make use of the predefined logical directory TMP.

ZMY_outdir.png

There are some traps you need to get around when using file_validate_name.

File_validate_name works with absolute filenames only. Therefor you have to make relatives filenames absolute first. Also you must specify the INCLUDING_DIR parameter on file_get_name when accessing filenames of type ‘DIR’, as otherwise the function will dump.

A safe version for the program could then look like this:

REPORT Z_UPLOAD_FILE_VALIDATE_NAME.

PARAMETERS: pv_fname       TYPE c LENGTH 64 LOWER CASE DEFAULT ‘test.txt’,
            pv_text       
TYPE string LOWER CASE DEFAULT ‘This is the file content.’.
CONSTANTS   lc_log_fname   LIKE FILENAMEFILEINTERN VALUE ‘ZMY_OUTDIR’.
DATA:       lv_full_name   TYPE string,             ” filename
           lv_defaultpath TYPE string.
INITIALIZATION.* get the path, where the files should be placed from the configuration
 
CALL FUNCTION ‘FILE_GET_NAME’
   
EXPORTING
      LOGICAL_FILENAME           
= lc_log_fname
      INCLUDING_DIR              
= ‘X’
   
IMPORTING
      FILE_NAME                  
= lv_defaultpath
   
EXCEPTIONS
     
OTHERS = 1.
 
IF sysubrc <> 0.
   
MESSAGE ID symsgid TYPE ‘I’ NUMBER symsgno
   
WITH symsgv1 symsgv2 symsgv3 symsgv4.
 
ENDIF.

AT SELECTION-SCREEN.
 
IF pv_fname = .
   
MESSAGE ‘You need to specify a file name.’ TYPE ‘E’.
 
ENDIF.
* check whether the file name is a relative one
 
IF cl_fs_path=>create( pv_fname )->is_relative( ) = abap_true.
   
” file name is a relative one, put the default path before the filename
   
” we also need to check in this case, as ‘/tmp’ + ‘../etc/test.txt’ is still outside /tmp
    lv_full_name
= lv_defaultpath && pv_fname.
 
ELSE.
   
” file name is already absolute, just use it.
    lv_full_name
= pv_fname.
 
ENDIF.

  CALL FUNCTION ‘FILE_VALIDATE_NAME’
   
EXPORTING
      LOGICAL_FILENAME           
= lc_log_fname
   
CHANGING
      PHYSICAL_FILENAME          
= lv_full_name
   
EXCEPTIONS
      LOGICAL_FILENAME_NOT_FOUND 
= 2
      VALIDATION_FAILED          
= 1
     
OTHERS                      = 4.
 
IF SYSUBRC <> 0.
   
IF SYSUBRC > 1.
     
MESSAGE ID symsgid TYPE ‘A’ NUMBER symsgno
       
WITH symsgv1 symsgv2 symsgv3 symsgv4.
   
ELSE.
     
MESSAGE ‘The filename >’ && pv_fname && ‘< is not valid, please try again.’ TYPE ‘E’.
   
ENDIF.
 
ENDIF.

START-OF-SELECTION.
 
OPEN DATASET lv_full_name FOR OUTPUT IN TEXT MODE ENCODING UTF8 .
 
IF SYSUBRC <> 0.
     
MESSAGE ‘Could not open file’ && lv_full_name TYPE ‘E’.
 
ELSE.
     
TRANSFER pv_text TO lv_full_name.
     
CLOSE DATASET lv_full_name.
     
Write :/ ‘contents was saved to:’, lv_full_name.
 
ENDIF.

If you need more information on the functions used above to protect against directory traversal attacks, you can allways have a look at the secure programming guide, the documentation for transaction FILE, for the function module file_get_name and for the function module file_validate_name.

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Andreas Wiegenstein

    Patrick,

    nice description on how to use file_validate_name.

    Just one slight mistake.
    In the example above you mention a file named “../(etc/passwd”. The “(” is obviously a typo, unless you are using a very strange version of the unix OS 😉

    And one slight addition.
    The coding you provide prevents a directory traversal attack. But for security reasons developers should also consider restricting the file extension to a set of allowed types. You don’t want people to create EXE or BAT files on your server (in case you run MS Windows), do you?

    This type of vulnerability is a must-know for every developer. Directory Traversal is the second-most common vulnerability in custom ABAP coding. Only authorization errors are more common. See the BIZEC APP/11 list for more information about the most common and the most critical mistakes in ABAP.

    Of course file_validate_name also applies to any other means of opening files on an SAP application server, e.g. using kernel calls ‘ALERTS’ or ‘C_RSTRB_READ_BUFFERED’.

    But remember folks: using kernel calls leads to the dark side anyway…

    (0) 
    1. Patrick Hildenbrand Post author

      Hi Andreas,

      thanks for pointing out this typo, it’s now fixed.

      With regards to your comment about filetypes, I’m a bit reluctant. In my opinion, you should be even more restrictive when operating with files, the filename should be defined via the sfil infrastructure (transaction file), which also allows to generate names. In all cases where this is not possible and you need some sort of user input, everything that can be used to restrict the possible namespace known to the developer (i.e. whitelists of allowed filenames) should be used to validate the filename given by the user and not only to validate the extension. From a abuisess perspective I do not see much difference, whether you uploaded an exe which an admin might be able to execute or whether you uploaded an xls pretending to be some business input, maybe even overwriting a generated version, which in turn leads to erranous business decisions. In fact, the latter may even be more expensive.

      Regards,

      Patrick

      (0) 

Leave a Reply