Skip to content

File inclusion

Description

Directory traversal occurs when a server allows an attacker to read a file or directories outside of the normal web server directory, and local file inclusion gives the attacker the ability to include an arbitrary local file (from the web server) in the web server's response.

Example: getProfilePicture(name: '../../../etc/password') returns the server's /etc/password file.

Remediation

There are multiple ways to prevent directory traversal attacks:

  • Avoid using parameters entered directly by the user.
  • Set up a file/folder name whitelist system: allow only certain folders and/or types of extensions, thus excluding all others.
  • Compartmentalize your data and implement middlewares. These can take the form of an interface to the (potentially external) file system on which the data users may request is stored. If the attached data storage is dedicated to this purpose only and does not contain sensitive data, the risk is limited, even if a user manages to bypass the limitations that this middleware can put in place.
  • Restrict access of the GraphQL worker to what is strictly necessary. By restricting as much as possible the files and folders to which the GraphQL worker has access, you reduce the range of files potentially exposed by an attack.
  • Take advantage of virtualization. With virtualization, it is possible to have several virtual machines completely isolated from each other. The GraphQL worker can therefore be isolated on its own virtual machine, allowing it access only to the elements absolutely necessary for its proper execution.

GraphQL Specific

Apollo To mitigate file inclusion vulnerabilities in the Apollo framework engine, ensure that user input is not directly used to specify files to be included. Implement a whitelist of allowed files and verify that the requested file is in the whitelist before including it. Additionally, use proper input validation and sanitization to prevent malicious input from being processed. Consider using built-in functions that provide secure file handling and avoid dynamic file inclusion whenever possible.
Yoga To mitigate file inclusion vulnerabilities in the Yoga framework engine, ensure that user input is not directly used to specify files to be included. Employ a whitelist of allowed files, validate and sanitize all user inputs, and avoid dynamic file paths. Additionally, use the framework's built-in functions for file handling that are designed to prevent such vulnerabilities.
Awsappsync To mitigate file inclusion vulnerabilities in the AWS AppSync framework, ensure that any user-supplied input is properly sanitized and validated. Avoid using dynamic file paths that can be manipulated by an attacker. Implement a strict allowlist of permissible files to be included, and use AWS AppSync's built-in resolvers and velocity templates to securely manage and process file paths. Regularly review and update security policies and IAM roles to adhere to the principle of least privilege.
Graphqlgo To mitigate file inclusion vulnerabilities in a GraphQL Go framework engine, ensure that user-supplied input is not used directly to determine the files to be included. Implement strict input validation, use a whitelist of allowed files, and employ the principle of least privilege when accessing file system resources. Additionally, consider using built-in functions for file handling that abstract the underlying file system structure, and regularly update your dependencies to incorporate security fixes.
Graphqlruby To mitigate file inclusion vulnerabilities in a GraphQL Ruby framework engine, ensure that user-supplied input is not used directly to determine the files to be included or executed. Use a whitelist of allowed files, sanitize and validate all input rigorously, and employ the principle of least privilege when granting file system access to the application. Additionally, consider using built-in mechanisms for template rendering and avoid dynamic file paths.
Hasura To mitigate file inclusion vulnerabilities in the Hasura framework, ensure that all file paths are handled securely. Avoid using user input directly when specifying file paths. If dynamic file paths are necessary, validate and sanitize the input rigorously to prevent directory traversal attacks. Additionally, use a whitelist approach to limit accessible files to only those that are required for application functionality. Keep the Hasura engine and all dependencies up to date to benefit from the latest security patches.
Agoo Validate and sanitize all user inputs to prevent directory traversal and local file inclusion vulnerabilities in the Agoo framework engine. Implement strict whitelisting of allowed file paths and use secure functions to handle file operations.
Ariadne Validate and sanitize all user inputs to prevent directory traversal and file inclusion vulnerabilities in the Ariadne framework engine.
Caliban Validate and sanitize all user inputs to prevent directory traversal and file inclusion vulnerabilities in the Caliban framework engine.
Dgraph Validate and sanitize all user inputs to prevent directory traversal and file inclusion vulnerabilities. Use a whitelist approach to allow only specific, safe file paths and implement strict access controls to ensure that only authorized files are accessible.
Dianajl Validate and sanitize all user inputs to prevent directory traversal and file inclusion vulnerabilities in the DianaJL framework engine.
Directus Validate and sanitize all user inputs to prevent directory traversal and local file inclusion vulnerabilities. Use built-in security features of the Directus framework to restrict file access and ensure that only authorized files within the designated directories are accessible.
Flutter Validate and sanitize all user inputs to prevent directory traversal and file inclusion vulnerabilities. Use Flutter's built-in security features and libraries to ensure that file paths are properly constrained and do not allow access to unintended directories or files.
Graphene Validate and sanitize all file path inputs to prevent directory traversal and local file inclusion vulnerabilities in the Graphene framework.
Graphqlapiforwp Implement strict input validation and sanitization to prevent directory traversal and local file inclusion vulnerabilities in the GraphQL API for WordPress framework. Ensure that user inputs are properly validated and restricted to expected values, and avoid using user inputs directly in file paths.
Graphqlgophergo Implement strict input validation and sanitization to prevent directory traversal and local file inclusion vulnerabilities in the GraphQLGopherGo framework. Ensure that user inputs are properly validated and restricted to expected values, and avoid using user inputs directly in file paths. Additionally, configure the server to limit file access to only necessary directories and files.
Graphqljava Validate and sanitize all user inputs to prevent directory traversal and file inclusion vulnerabilities. Use a whitelist approach to allow only specific, safe file paths and implement strict access controls to ensure that only authorized files can be accessed.
Graphqlphp Validate and sanitize all input parameters to prevent directory traversal and file inclusion vulnerabilities. Use a whitelist approach to allow only specific, safe file paths and implement strict access controls to ensure that only authorized files can be accessed.
Graphqlyoga Validate and sanitize all input parameters to prevent directory traversal and file inclusion vulnerabilities. Use a whitelist approach to allow only specific, safe file paths and implement strict access controls to ensure that only authorized files are accessible.
Hypergraphql Validate and sanitize all file path inputs to prevent directory traversal and local file inclusion vulnerabilities.
Jaal Validate and sanitize all user inputs to prevent directory traversal and file inclusion vulnerabilities in the Jaal framework engine.
Juniper Validate and sanitize all user inputs to prevent directory traversal and file inclusion vulnerabilities in the Juniper framework engine.
Lacinia Validate and sanitize all user inputs to prevent directory traversal and file inclusion vulnerabilities in the Lacinia framework engine.
Lighthouse Validate and sanitize all user inputs to prevent directory traversal and local file inclusion vulnerabilities. Use a whitelist approach for allowed file paths and implement proper access controls to restrict file access.
Mercurius Validate and sanitize all input paths to prevent directory traversal and local file inclusion vulnerabilities in the Mercurius framework engine.
Morpheusgraphql Validate and sanitize all input paths to prevent directory traversal and local file inclusion vulnerabilities in MorpheusGraphQL. Implement strict whitelisting of allowed file paths and use secure libraries or built-in functions to handle file operations safely.
Qglgen Validate and sanitize all input parameters to prevent directory traversal and file inclusion vulnerabilities in the gqlgen framework.
Sangria Validate and sanitize all file path inputs to prevent directory traversal and local file inclusion vulnerabilities.
Shopify Validate and sanitize all user inputs to ensure they do not contain directory traversal sequences or unexpected file paths, and use Shopify's built-in security features to prevent unauthorized file access.
Stepzen Validate and sanitize all user inputs to prevent directory traversal and file inclusion vulnerabilities. Use built-in security features of the StepZen framework to restrict file access and ensure that only authorized files within the intended directory are accessible.
Strawberry Implement input validation and sanitization to prevent directory traversal and local file inclusion vulnerabilities in the Strawberry Framework engine.
Tartiflette Validate and sanitize all file path inputs to prevent directory traversal and local file inclusion vulnerabilities in the Tartiflette framework.
Wpgraphql Validate and sanitize all user inputs to prevent directory traversal and file inclusion vulnerabilities in the wpgraphql framework.

Configuration

Identifier: injection/file_inclusion

Options

  • skip_objects : List of object that are to be skipped by the security test.

Examples

Ignore this check

checks:
  injection/file_inclusion:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API10:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.1
  • gdpr: Article-32
  • soc2: CC6
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-123
  • fedramp: SI-10

Classification

  • CWE: 22

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 7.2

References