All geek questions in one place

Are laravel routes sufficient to protect against file crawling?

Route::get('/transaction/{name}', ' TransactionController@download '); public function download($name){ $path = storage_path('app/something/') . $name . '.xml'; return response()->download($path); }

The user should use this action only to load .xml files in the application / something.

Is it possible to load data outside the specified app/something folder.

+5
source share
3 answers

As far as I know, Laravel will compile your path:

 #^/transaction/(?P<name>[^/]++)$#s

So simple / will not work. You can use a more complex backslash - but it depends on the server.

At the end - Remember not to trust all user inputs. Regardless of whether it goes through routing or received directly.

+1
source

Laravel does not protect against bypass attacks - the router will return any value with your sample code, which means that someone can access your file system!

You use PHP basename() to sanitize $name by removing any path references from a string:

 Route::get('/transaction/{name}', ' TransactionController@download '); public function download($name){ $path = storage_path('app/something/') . basename($name, '.xml') . '.xml'; return response()->download($path); }
+2
source

Updated Answer

As you can see below, it is definitely possible to perform malicious actions on Laravel routes. Given the setting of your function, the likelihood that someone will do something you don’t want is small because he can only change the $name variable.

You can still write additional code (see viblo.asia ):

 $basepath = '/foo/bar/baz/'; // Path to xml file $realBase = realpath($basepath); $userpath = $basepath . $_GET['path']; $realUserPath = realpath($userpath); if ($realUserPath === false || strpos($realUserPath, $realBase) !== 0) { //Directory Traversal! } else { //Good path! }

To prevent users from accessing files, they are not allowed.

Old but relevant answer

Just tried this in Homestead:

 Route::get( '/', function () { dump(exec('ls ' . storage_path() . '/../../../')); } );

And this perfectly prints the corresponding folder:

enter image description here

So, I would say that it is definitely possible to do things outside of the specified folder. Try this for yourself, for example:

 Route::get( '/', function () { for ($i = 0; $i < 10; $i++) { $path = str_repeat('/..', $i); dump(exec('ls ' . storage_path() . $path)); } } );

And you will see that your folders appear on the screen when you click the route / .

+1
source

Source: https://habr.com/ru/post/1263040/

More articles:


All Articles