如何解决在Java代码中创建具有指定名称的文件时的安全漏洞？

Question

The security code scan does not like the following Java code:

File localCsvFile = new File(MessageFormat.format(REPORT_ZIP_PATH_FORMAT,
            REPORT_LOCAL_PATH, str1, str2, count));

According to the scan the problem is in follows:

The software allows user input to control or influence paths or file names that are used in filesystem operations. This could allow an attacker to access or modify system files or other files that are critical to the application.

What is the best way to solve this problem? I am in Spring Boot Java application. One of the proposed solution is to use AccessReferenceMap, how it works?

Answer 1

This problem is discussed in OWASP security guidelines. The solution can be a little bit different based on the application's host operating system, but here are some common guidelines -

• If possible try to avoid taking the file path from the user. Evaluate if there are any alternative solutions without asking the user to enter the path on the server. I don't have the full context of your scenario but most of the time it is achievable. Maybe you can store the report on a server path based on user ID, example user1 files will be stored under /user/tmp/user1, this will eliminate asking the user to enter full path or absolute path.

• Validate the user input as much as possible on the server-side. This will restrict user access as much as possible. For example, if the user is expected to access pdf then add validation to check the user input data to end with .pdf

• Never pass user input directly to file system APIs. Prefix it with a predefined path before sending it to file system APIs.

• Make sure your file system APIs are reading/writing with a restricted operating system user having access to a specific path where you store only files required by the user.

You can read more about this vulnerability and solutions here