如何修复Fortify路径操纵(输入验证和表示,数据流)漏洞
[英]How to fix Fortify Path Manipulation ( Input Validation and Representation , Data Flow ) vulnerability
问题描述
I am getting fortify path manipulation vulnerability for creating a file with new keyword 
我在使用新关键字创建文件时强化了路径操作漏洞
I have tried to sanitize the path before passing it to File object, but the problem persists. 我试图在将路径传递给File对象之前对其进行清理,但是问题仍然存在。 Tried this link also: https://www.securecoding.cert.org/confluence/display/java/FIO00-J.+Do+not+operate+on+files+in+shared+directories 还尝试了此链接: https : //www.securecoding.cert.org/confluence/display/java/FIO00-J.+Do+not+operate+on+files+in+shared+directories
public static String sanitizePath(String sUnsanitized) throws URISyntaxException, EncodingException {
String sSanitized = SAPI.encoder().canonicalize(sUnsanitized);
return sSanitized;
}
//// the main method code snippet /////
String sSanitizedPath = Utils.sanitizePath(file.getOriginalFilename());
-- fortify scan detects problem here ..in below line --
File filePath = new File(AppInitializer.UPLOAD_LOCATION, sSanitizedPath);
String canonicalPath = filePath.getCanonicalPath();
FileOutputStream fileOutputStream = new FileOutputStream(canonicalPath);
After the santizePath , I thought the scan will be not pick ,vulnerabilit but , it did. 经过santizePath之后,我认为扫描不会被选择,而是这样做了。
1 个解决方案
解决方案1
0 2019-04-26 12:54:07
This "sUnsanitized" variable comes from user input? 此“ sunsanitized”变量来自用户输入吗? Maybe this is your real problem. 也许这是您的真正问题。
Never trust in user input its a number one rule to develpment. 永远不要相信用户输入其发展的第一法则。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.