Regular expression review

johnphpnewb · June 21, 2019, 5:13pm

Hello, i am trying to implement a regular expression to filter for directory traversal. Some of you all ready know that i pass a file path to a router as a session variable attached to an input name. Thus, the random name of the input is placed as a value to the session key like:

$_SESSION['Path']['Animalia/Arthropoda/Insecta'] = base64_encode(random_bytes(8));

even though it is not typically possible to alter the session variable, directory traversal exists. I like to be thorough and filter even a session variable before using it. Atleast on a dedicated server.

i have set up the following regular expression because an array of possible values is impossible with taxonomy:

if (preg_match("/^[a-z\/]{1,128}$/i", $path) === 1) {
  //then file path is clear for inclusion
}

is this correct? i am not very good with regex, so i want to be sure that this is a solid filter.

astonecipher · June 21, 2019, 6:02pm

Test it. I am not sure what you are trying to find, so I can’t help with the espression.

https://www.phpliveregex.com/

johnphpnewb · June 21, 2019, 6:19pm

Hello astonecipher and good evening,

i all ready tested it on my site and it works but i am just curious if there is a better method.
essentially, i am just whitelisting letters and slashes. Then, i think, that dot dot slash and escape codes will be ignored.

everything seems to work as intended. the index page loads whenever i change the filepaths to any dot dot slash relative path.

if noone has any better methods, then i am happy. Thank you.

astonecipher · June 21, 2019, 6:37pm

If you are just trying to prevent the current directory and the next up, you add an exclusion list.

$exclude = [
    '.','..'
];

if(!in_array($path, $exclude))
// continue

johnphpnewb · June 21, 2019, 7:00pm

That is the first method that i had tried and it fails for some reason.
what i do is alter the session variable, like so:

'../Animalia/Arthropoda/Insecta';

i have no idea why the if in_array is failing me. the path is allowed. something is strange.
when i use the preg_match regex, the path fails and i see the homepage.

astonecipher · June 24, 2019, 11:57am

MY guess would be what you are trying to do, rather than the how, is causing the issue.

I ran into a problem over the weekend where a variable that was in scope wasn’t holding a value when called. I have to go back to it and unfortunately make a class tightly bound to another just so I can get it to work…

johnphpnewb · June 24, 2019, 2:59pm

i actually got it to work but it was a WHERE problem. I have my form submit to a process page instead of self. I use prg, so process php is better for me. Anyway, after i verify the post isset, then i call a function instead of handling the data in the process file. I wanted to clean up my code, so i moved it to a function. If everything is clear, then i send you to the index file which is a page router. I was trying to check the session variable in the index router. I know that the function has local scope but a session variable does not, or should not be local. I was checking if the session variable is in array. Now i check the array in the function and it stops directory traversal, id est, the path fails. I still don’t understand why this is so because of the session variable.

sorry that you are having trouble with the variable. scope is simple and complex at the same time. i’ve had a similar problem before so i also had to bind it tightly to the code that was utilizing it. I know that you will find the problem. You are an expert coder.