'Fortify file path manipulation solution recommendation
I'm creating a new file as classpath resource. With the following code, there are critical and high level Path Manipulation issues on Fortify.
public class A {
@Value("classpath:test")
private Resource resource;
public void createFile(MultipartFile sourceFile) {
String fName = FilenameUtils.normalize(sourceFile.getOriginalFilename());
//path manipulation
File newFile = Paths.get(resource.getFile().getPath(),fName).normalize().toFile();
...
}
}
I've tried also normalize the path with FilenameUtils, but still getting the same issues on Fortify. Are these Path Manipulation errors meaningful? Is there any other viable solution?
Btw Sonar scans are clean for vulnerability.
Thanks for any advice!
Regards
Solution 1:[1]
public static String normalize(String fileName)
Normalizes a path, removing double and single dot path steps.
This method normalizes a path to a standard format. The input may contain separators in either Unix or Windows format. The output will contain separators in the format of the system.
Its a false positive. Most likely, the scan is done with fortify unaware of apache commons-io
library. You should seek counsel with whoever scans the thing and see if he had further comment on the issue (you can throw in the code for discussion).
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Bagus Tesa |