如何修复 MavenWrapperDownloader.java 中的绝对路径遍历
[英]How to fix Absolute Path Traversal in MavenWrapperDownloader.java
问题描述
After a security scan, I get the error Absolute Path Traversal in the file:
安全扫描后,我在文件中收到错误绝对路径遍历:
https://github.com/takari/maven-wrapper/blob/master/.mvn/wrapper/MavenWrapperDownloader.java https://github.com/takari/maven-wrapper/blob/master/.mvn/wrapper/MavenWrapperDownloader.java
Line 50: File baseDirectory = new File(args[0]);第 50 行:File baseDirectory = new File(args[0]);
The MavenWrapperDownloader.java belong actually to apache... is there a new version of the file from where I will not get an error? MavenWrapperDownloader.java 实际上属于 apache...是否有新版本的文件,我不会从那里得到错误?
One option I found ( https://portswigger.net/web-security/file-path-traversal ) is to use我找到的一个选项 ( https://portswigger.net/web-security/file-path-traversal ) 是使用
File file = new File(BASE_DIRECTORY, userInput);
if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {
// process file
}
But in the java class they are already checking:但是在 java class 他们已经在检查:
File mavenWrapperPropertyFile = new File(baseDirectory, MAVEN_WRAPPER_PROPERTIES_PATH);
String url = DEFAULT_DOWNLOAD_URL;
if(mavenWrapperPropertyFile.exists()) {
...
Any suggestions?有什么建议么?
1 个解决方案
解决方案1
0 2022-12-27 14:15:42
For me, the below code worked which is part of Apache commons IO对我来说,下面的代码有效,它是Apache commons IO的一部分
FilenameUtils.normalize(baseDirectory) FilenameUtils.normalize(baseDirectory)
import org.apache.commons.io.FilenameUtils;
...
File mavenWrapperPropertyFile = new File(FilenameUtils.normalize(baseDirectory), MAVEN_WRAPPER_PROPERTIES_PATH);
String url = DEFAULT_DOWNLOAD_URL;
if(mavenWrapperPropertyFile.exists()) {
...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.