加强安全性发现— CWE 22路径操纵
[英]Fortify security finding — CWE 22 Path Manipulation
问题描述
I have the below code to get the lastest modified file by given directory and the prefix of the filename. 
我有以下代码,可以通过给定目录和文件名前缀获取最新的修改文件。 When I ran the HPE fortify analysis it gave me "Path manipulation" findings. 当我运行HPE要塞分析时,它给了我“路径操纵”的发现。 Can you guys guide me how to fix this finding? 你们可以指导我如何解决这个问题吗? What is the best and secure approach to access filesystem for a web application? 什么是访问Web应用程序文件系统的最佳和安全方法?
public static File getLatestFilefromDirWithFileName(String archivesDirectoryPath, String fileStartWith){
File archivesDirectory = new File(archivesDirectoryPath);
FilenameFilter textFilter = new FilenameFilter() {
public boolean accept(File dir, String name) {
if (name.startsWith(fileStartWith)) {
return true;
} else {
return false;
}
}
};
File[] filesInArchiveDir = archivesDirectory.listFiles(textFilter);
if (filesInArchiveDir == null || filesInArchiveDir.length == 0) {
return null;
}
File lastModifiedFile = filesInArchiveDir[0];
for (int i = 1; i < filesInArchiveDir.length; i++) {
if (lastModifiedFile.lastModified() < filesInArchiveDir[i].lastModified()) {
lastModifiedFile = filesInArchiveDir[i];
}
}
return lastModifiedFile;
}
1 个解决方案
解决方案1
0 2017-03-02 16:40:06
You must ensure that archivesDirectoryPath do not allow to access sensible folders. 您必须确保archivesDirectoryPath不允许访问明智的文件夹。
One way to do it, is to validate that the specified folder will be located in a white list of location. 一种方法是验证指定的文件夹将位于白名单中。 This white list could either be define in your code or configurable by "administrator" users. 此白名单可以在您的代码中定义,也可以由“管理员”用户配置。 Trying to process a folder that is not on this list should raise Exception. 尝试处理不在此列表中的文件夹将引发异常。
You can check that no /../ are used in folder name, but checking that the resulting folder is part of your white list should be enough. 您可以检查是否没有在文件夹名称中使用/../ ,但是检查结果文件夹是否属于白名单就足够了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.