File name sanitation for deleting via web

Question

If we have a web page that able to read or delete file (based on name) inside certain folder, for example: 'public/upload/', what kind of filtering we must use to prevent security issues?

For example in Ruby/Sinatra:

file_name = params[:file_name]
base_dir = 'public/upload/'
# prevent user from entering ../../../../../etc/passwd or any other things
file_name.gsub!('../','') 
File.delete "#{base_dir}/#{file_name}"

Is it enough?

Test it with these: http://security.stackexchange.com/a/96991/8340 — SilverlightFox, Nov 26 '15 at 09:59

sboutzen · Answer 1 · 2015-11-26T19:52:02.333

This kind of filtering is always error prone. However, something that could work, but which I cannot say is bulletproof, would be this:

Preventing Directory Traversal in PHP but allowing paths

Ruby has something like php's "realpath" afaik.

OWASP also has bit on how to prevent path traversal: https://www.owasp.org/index.php/File_System#Path_traversal

Along with examples of how path traversal can be exploited: https://www.owasp.org/index.php/Path_Traversal

File name sanitation for deleting via web

1 Answers1