[
https://issues.apache.org/jira/browse/IO-559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17057966#comment-17057966
]
Sravan Putluru commented on IO-559:
-----------------------------------
Project uses normalize() to generated file path based on windows\linux but in
VeraCode security can report method used line detected as Directory Traversal T
issue as medium flaws.
Common.io 2.6 API Unexpected behavior with normalize(String s) method is not
performing validations on path input. "../ " is allowing but return as Null if
the input type is some thing like "../../". with the below lines of code checks
can be remove path DT vulnerabilities issue. Could somebody please give
solution.
Veracode report result Directiry Travesal medium flaws detected need to fix.
fileName = "../../etc/passwd";
fileName = FilenameUtils.normalize(fileName); // still holds the same value
("//../foo")
if (fileName != null)
{ // file creation path eg: drivec\root\06-03-2020\folder\test }
else
{ throw new CustomerException("Invalid path creation found"); }
> FilenameUtils.normalize should verify hostname syntax in UNC path
> -----------------------------------------------------------------
>
> Key: IO-559
> URL: https://issues.apache.org/jira/browse/IO-559
> Project: Commons IO
> Issue Type: Bug
> Components: Utilities
> Affects Versions: 2.6
> Reporter: Stefan Bodewig
> Priority: Major
> Fix For: 2.7
>
>
> {{FilenameUtils.normalize}} will accept broken file names as UNC path even if
> their hostname part doesn't match the syntax of a proper hostname. Using
> certain hostnames like "." this may lead to strange side effects.
> Most likely the best fix will be to make {{getPrefixLength}} verify the
> hostname part of a suspected UNC path and return a value of {{NOT_FOUND}} if
> it is not a valid hostname - much like it does for triple slashes.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
